| View previous topic :: View next topic |
| Author |
Message |
tommy_fila
Guru
Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ
|
 Posted: Thu Sep 22, 2005 2:45 am Post subject: "iptables -L" lists wrong policies |
 |
|
I have the following iptables rules.
| Code: | #!/bin/sh
# Set location of iptables
IPTABLES=/sbin/iptables
# Define interfaces
PUBLIC_IF="eth0"
# Flush current rules
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -t mangle -F
# Delete custom chains
$IPTABLES -t nat -X
$IPTABLES -t filter -X
$IPTABLES -t mangle -X
# Set default policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
# Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow typical ICMP responses
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# PDA Connection
$IPTABLES -A INPUT -i ppp0 -j ACCEPT |
When I use "iptables -L" to list my current set of rules, I get the following output.
| Code: | Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
Why are the first and last rules of the INPUT chain set to accept all packets. In reality, the first rule should only allow packets from trusted interfaces, and the last rule should allow connections from and to my PDA.
What is going on here? Does iptables -L just list the wrong rules?
_________________
"What goes on in life, that goes for eternity." |
|
| Back to top |
|
 |
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Thu Sep 22, 2005 8:41 am Post subject: |
|
|
| iptables -L doesn't list the interface (-i and -o arguments) |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
|
| Back to top |
|
|
eagle_cz
Apprentice
Joined: 06 Jun 2003
Posts: 214
|
| Posted: Thu Sep 22, 2005 11:08 am Post subject: |
|
|
did you try
iptables -t mangle -L -nv
iptables -t nat -L -nv
?
just guess from littla komie  |
|
| Back to top |
|
|
tommy_fila
Guru
Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ
|
| Posted: Thu Sep 22, 2005 2:08 pm Post subject: |
|
|
That did the trick! Thank you!
_________________
"What goes on in life, that goes for eternity." |
|
| Back to top |
|
|
eagle_cz
Apprentice
Joined: 06 Jun 2003
Posts: 214
|
| Posted: Thu Sep 22, 2005 2:20 pm Post subject: |
|
|
just to be perfect here is last one
iptables -t filter -L -nv
whitch is the same like
iptables -L -nv
because it list just filter by default |
|
| Back to top |
|
|
tommy_fila
Guru
Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ
|
| Posted: Thu Sep 22, 2005 7:13 pm Post subject: |
|
|
I realize this is somewhat unrelated, but I don't want to start up a new topic.
How can I log all dropped packets? Do I need to create a rule that identifies all dropped packets and log that?
Thanks for the help.
_________________
"What goes on in life, that goes for eternity." |
|
| Back to top |
|
|
eagle_cz
Apprentice
Joined: 06 Jun 2003
Posts: 214
|
| Posted: Thu Sep 22, 2005 9:08 pm Post subject: |
|
|
if you drop packets at several places you can make redirect to your custom chain
Then you will put 2 rules into your custom chain.
rule 1. log
rule 2. drop |
|
| Back to top |
|
|
tommy_fila
Guru
Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ
|
| Posted: Fri Sep 23, 2005 2:50 am Post subject: |
|
|
Could you elaborate on that. I don't really see what you mean.
Take my rules for example:
| Code: |
# Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow typical ICMP responses
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT |
If the packet doesn't fit any of these desriptions, it should get logged.
Any ideas on how I can accomplish this?
_________________
"What goes on in life, that goes for eternity." |
|
| Back to top |
|
|
tommy_fila
Guru
Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ
|
| Posted: Fri Sep 23, 2005 3:48 pm Post subject: |
|
|
I was thinking about doing the following, but I don't think it would work very well.
Right in front of every INPUT chain, I'd append a log chain that logs packets which don't match the following INPUT chain. So, for example.
| Code: | # Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT |
Would become:
| Code: | # Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i !lo -j LOG
$IPTABLES -A INPUT -i lo -j ACCEPT |
Would this work properly? I have a feeling that it would log all packets not coming from "lo". I don't really want that either. I only want to log packets which don't match any of my input chains.
Any ideas?
_________________
"What goes on in life, that goes for eternity." |
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Fri Sep 23, 2005 4:26 pm Post subject: |
|
|
| tommy_fila wrote: | Could you elaborate on that. I don't really see what you mean.
Take my rules for example:
| Code: |
# Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow typical ICMP responses
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT |
If the packet doesn't fit any of these desriptions, it should get logged.
Any ideas on how I can accomplish this? |
Place an unqualified LOG line after all your accepts, this will log everything "falling out the bottom". Expect to watch carefully for a very large log file.
Dave |
|
| Back to top |
|
|
tommy_fila
Guru
Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ
|
| Posted: Fri Sep 23, 2005 6:09 pm Post subject: |
|
|
Ah! DaveArb, the master is back at it.
Let me see if I have this straight. Basically, the packet goes through the different chains. If it matches a chain, it gets accepted or dropped, and that's it. If it doesn't match any of the chains, it just keeps on going through until the end. So if I add a log chain to the end, then all packets that don't get accepted, will get logged.
Next question:
You said the log files might get very large? Where are the log files? I thought the messages get logged with your system-logger?
_________________
"What goes on in life, that goes for eternity." |
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Sat Sep 24, 2005 3:21 pm Post subject: |
|
|
| tommy_fila wrote: | | So if I add a log chain to the end, then all packets that don't get accepted, will get logged. |
Exactly correct. Iptables run from top to bottom. Having a policy of DROP is effectively the same as having a last rule of DROP, so placing a LOG at the end will write everything that's going to be dropped to the log.
| Quote: | | I thought the messages get logged with your system-logger? |
That's correct too. Where the logs get written no doubt varies by what logger you use, on the sysklog install I just checked they are in messages. About 250 byte long message for each log line.
Dave |
|
| Back to top |
|
|
tommy_fila
Guru
Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ
|
| Posted: Sat Sep 24, 2005 5:44 pm Post subject: |
|
|
Perfect. I'm going to try adding the log line to the end.
About the log files getting too large -- I thought the log files automatically stay a certain size by just erasing the old logs.
_________________
"What goes on in life, that goes for eternity." |
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Sun Sep 25, 2005 3:04 pm Post subject: |
|
|
| tommy_fila wrote: | | I thought the log files automatically stay a certain size by just erasing the old logs. |
sysklog doesn't do this automatically, I use logrotate to perform this task. Perhaps other system loggers do autotrim their files?
Dave |
|
| Back to top |
|
|
|
Networking & Security
