Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Default policy setting with iptables
  • From: Bastian Friedrich <bastian@xxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 17 Mar 2005 18:42:02 +0100
  • Message-id: <200503171842.07921.bastian@xxxxxxxxxxxxxxxxxxxx>

On Thursday 17 March 2005 16:25, Felix Günther wrote:
> Stefan.Junge@xxxxxxxxxxxxxxx schrieb:
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT DROP
> >
> > iptables -F
> > iptables -t nat -F
> > iptables -X
> You flush the tables (iptables -F) after you set your Policies. You
> should exchange these two blocks: First flush, then set the policies.

No, you should not. You would open a race condition otherwise (intrusion
between "opening" everything. It works the way Stefan tried:

han:~ # iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
han:~ # iptables -P FORWARD DROP
han:~ # iptables -F FORWARD
han:~ # iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination

(in other words: flushing a chain does _not_ "reset" it's default


1) As you don't post your complete script, it's difficult to find
anything wrong. The "my_dump" chain is not accessed in your excerpt. It
remains open whether just the logging fails, or the chain is not
entered at all. You might consider configuring syslog for "kern.*"
instead of "Kern.*" (or even better, use --log-level {whatever} and
configure syslog accordingly). Although syslog in fact seems to be
case-insensitive in this respect, lower case is "more correct[tm]".

2) So what is happening to the default policy? Does it remain ACCEPT?
Have you tried to do some "iptables -L" during the script to see where
the policy is "changed back", whether it is set at all, ...?


Bastian Friedrich bastian@xxxxxxxxxxxxxxxxxxxx
Adress & Fon available on my HP
\ MS Windows -- From the people who brought you EDLIN!
< Previous Next >