[plug] iptables configuration : Accept for Drop by default

Tim Bowden tim.bowden at mapforge.com.au
Fri Oct 26 14:19:51 WST 2012 

On Fri, 2012-10-26 at 13:42 +0800, Alexander Hartner wrote:
> Typically I would configure iptables to have a policy of DROP to
> prevent all access and then to allow specific port to go through:
> 
> # iptables -L -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
<snip>

This ACCEPT line will catch all traffic, so no rule past this point will
have any effect.  Policy won't even matter. You're letting everything
through.


> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination         
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0
>  reject-with icmp-host-prohibited
> 

You're rejecting every packet trying to forward through your host. Fair
enough (unless you run some virtual machines that need network access).
Again, policy doesn't matter (but still good to set it in case the rules
get changed).

> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0        
> 

You're sending everything out.  Shouldn't be a problem for a single
system if you're sure it's not going to be compromised (and become an
origin for spam etc), but on a network gateway you might want to be a
bit more selective; ie, less trusting of what's generated from within
your network.

> 
> However recently I encounter a system which has its policy set to
> ACCEPT
> 
> 
> # iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED 
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> tcp dpt:22 
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0
> reject-with icmp-host-prohibited 
> 

REJECT all stops all traffic not already accepted. This last line is
effectively the same as setting policy to REJECT. Again, chain POLICY
won't be used unless this line is deleted or changed.

> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0
> reject-with icmp-host-prohibited 
> 
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination       
> 
> 
> 
> 
> I was wondering if this system is secure at all and just badly
> misconfigured. For some reason it seems to kind of work as traffic is
> being blocked. Maybe I just don't understand this properly. Any
> pointers in the right direction would really help me out.
> 
> 
> Thanks in advance
> Alex

I'd rather the second system than yours.  Just saying.  ;)

If you want to test rules, it can be a good idea to create user defined
chains and set that as the target for certain types of traffic.  That
way it is easy to count packets without having to do logging, or to
provide more fine grained logging.

HTH,
Tim Bowden

More information about the plug mailing list