Default policy setting with iptables
Hello, I have got a question concerning setting up a default policy with iptables. There is a system with kernel 2.6. I have configured a rule set in a script which will be loaded at boot time. On SuSE 8.2 there was the same rule set - and it works. Now, 1. with the kernel 2.6 I have not any logging as configured in syslog Kern.* /var/log/firewall 2. The default policy is not set as I have expected. Here is the beginning: Some basics ... And then ... iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -F iptables -t nat -F iptables -X # ======================================================================= # Loopback Devices # ======================================================================= iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT # ======================================================================== === # DROP & LOG Chain # ======================================================================== = iptables -N my_drop iptables -A my_drop -p icmp -j LOG --log-prefix "DROP-ICMP " iptables -A my_drop -p udp -j LOG --log-prefix "DROP-UDP " iptables -A my_drop -p tcp -j LOG --log-prefix "DROP-TCP " iptables -A my_drop -j DROP .... Rules for SSH, http ... What could be wrong? Regards, Stefan Junge
Hi, Stefan.Junge@ssi-schaefer.de schrieb:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
iptables -F iptables -t nat -F iptables -X
You flush the tables (iptables -F) after you set your Policies. You should exchange these two blocks: First flush, then set the policies. But: This hasn't changed from kernel 2.4 to 2.6, as far as i know... Regards, Felix Günther
Hi, On Thursday 17 March 2005 16:25, Felix Günther wrote:
Stefan.Junge@ssi-schaefer.de schrieb:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
iptables -F iptables -t nat -F iptables -X
You flush the tables (iptables -F) after you set your Policies. You should exchange these two blocks: First flush, then set the policies.
No, you should not. You would open a race condition otherwise (intrusion between "opening" everything. It works the way Stefan tried: han:~ # iptables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination han:~ # iptables -P FORWARD DROP han:~ # iptables -F FORWARD han:~ # iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination (in other words: flushing a chain does _not_ "reset" it's default policy) ---------------- Stefan, 1) As you don't post your complete script, it's difficult to find anything wrong. The "my_dump" chain is not accessed in your excerpt. It remains open whether just the logging fails, or the chain is not entered at all. You might consider configuring syslog for "kern.*" instead of "Kern.*" (or even better, use --log-level {whatever} and configure syslog accordingly). Although syslog in fact seems to be case-insensitive in this respect, lower case is "more correct[tm]". 2) So what is happening to the default policy? Does it remain ACCEPT? Have you tried to do some "iptables -L" during the script to see where the policy is "changed back", whether it is set at all, ...? Bastian -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ MS Windows -- From the people who brought you EDLIN!
participants (3)
-
Bastian Friedrich -
Felix Günther -
Stefan.Junge@ssi-schaefer.de