iptables -F & iptables -X good enough *for all* tables/chains?

iptables -F & iptables -X good enough *for all* tables/chains?

[Christian Seberino]

iptables -F
iptables -X

These simple 2 lines seem good enough to
nuke *all* rules and *all* user defined chains.....

Yet, in print (like Linux Firewalls book) I often
see people wanting to apply -F and -X to 
*every single table one by one*

(e.g. iptables -t nat    -F
      iptables -t filter -F
      iptables -t mangle -F
 etc.)

Am I missing something? My simple 2 lines above
seem good enough to do the trick.

Chris
-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

Default DROP policy for mangle and nat in iptables necessary/wise?

[Christian Seberino]

Linux Firewalls book assigns a default drop policy
to mangle and nat tables.

I could not get DROP policy to work on these
tables and I am skeptical this serves any useful
purpose anyway since packets must all traverse
filter table anyway.

Is the author of Linux Firewalls on drugs or is
this really useful somehow?? (assuming you can
get it to work)

Chris

-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

RE: iptables -F & iptables -X good enough *for all* tables/chains?

[Ed Street]

Hello,

Well first off the regular expression of Iptables -F will NOT flush the
specific tables i.e. nat/manglefilter.  However, if you are NOT using
those tables it's pointless to -F as there's nothing there.  In general
it's a good idea and a good habit to get into using.

To test your theory you need some rules in any of those three tables.
Do the iptables -F and then run iptables -t nat -L -n you will see the
rules are still there.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Christian Seberino
Sent: Monday, June 24, 2002 2:41 PM
To: netfilter@lists.samba.org
Subject: iptables -F & iptables -X good enough *for all* tables/chains?

iptables -F
iptables -X

These simple 2 lines seem good enough to
nuke *all* rules and *all* user defined chains.....

Yet, in print (like Linux Firewalls book) I often
see people wanting to apply -F and -X to 
*every single table one by one*

(e.g. iptables -t nat    -F
      iptables -t filter -F
      iptables -t mangle -F
 etc.)

Am I missing something? My simple 2 lines above
seem good enough to do the trick.

Chris
-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

RE: Default DROP policy for mangle and nat in iptables necessary/wise?

[Ed Street]

Hello,

Is there any distinction made between PREROUTING and POSTROUTING for the
drop policy?

Try this.
        "$IPTABLES" -t nat -P PREROUTING DROP
        "$IPTABLES" -t nat -P POSTROUTING DROP

It *DOES* work and it's highly effective.

Ed


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Christian Seberino
Sent: Monday, June 24, 2002 2:45 PM
To: netfilter@lists.samba.org
Subject: Default DROP policy for mangle and nat in iptables
necessary/wise?

Linux Firewalls book assigns a default drop policy
to mangle and nat tables.

I could not get DROP policy to work on these
tables and I am skeptical this serves any useful
purpose anyway since packets must all traverse
filter table anyway.

Is the author of Linux Firewalls on drugs or is
this really useful somehow?? (assuming you can
get it to work)

Chris

-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

Re: iptables -F & iptables -X good enough *for all* tables/chains?

[Christian Seberino]

Ed

Thanks for the reply.  I can accept that -F is necessary
*for every single table separately*.

User defined chains are *not* tied to specific tables
as far as I can tell.  Is there any value in doing

iptables -t nat -X
iptables -t mangle -X
iptables -t filter -X

rather than just iptables -X???

Linux Firewalls book has the three line method instead if iptables -X.

Chris


On Mon, Jun 24, 2002 at 02:47:50PM -0400, Ed Street wrote:
> Hello,
> 
> Well first off the regular expression of Iptables -F will NOT flush the
> specific tables i.e. nat/manglefilter.  However, if you are NOT using
> those tables it's pointless to -F as there's nothing there.  In general
> it's a good idea and a good habit to get into using.
> 
> To test your theory you need some rules in any of those three tables.
> Do the iptables -F and then run iptables -t nat -L -n you will see the
> rules are still there.
> 
> Ed
> 
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Christian Seberino
> Sent: Monday, June 24, 2002 2:41 PM
> To: netfilter@lists.samba.org
> Subject: iptables -F & iptables -X good enough *for all* tables/chains?
> 
> iptables -F
> iptables -X
> 
> These simple 2 lines seem good enough to
> nuke *all* rules and *all* user defined chains.....
> 
> Yet, in print (like Linux Firewalls book) I often
> see people wanting to apply -F and -X to 
> *every single table one by one*
> 
> (e.g. iptables -t nat    -F
>       iptables -t filter -F
>       iptables -t mangle -F
>  etc.)
> 
> Am I missing something? My simple 2 lines above
> seem good enough to do the trick.
> 
> Chris
> -- 
> _______________________________________
> 
> Dr. Christian Seberino
> SPAWAR Systems Center San Diego
> Code 2363
> 53560 Hull Street
> San Diego, CA 92152-5001
> U.S.A.
> 
> Phone: (619) 553-7940
> Fax:   (619) 553-2836
> Email: seberino@spawar.navy.mil
> _______________________________________
> 

-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

Re: iptables -F & iptables -X good enough *for all* tables/chains?

[Ramin Alidousti]

If you don't specify the '-t' then it will be '-t filter' by default.
Follow the following, it should give you the insight you need:

root@localhost# iptables -N test
root@localhost# iptables -A test -j DNAT --to 10.100.100.100
iptables: Invalid argument
root@localhost# iptables -A test -t nat -j DNAT --to 10.100.100.100
iptables: No chain/target/match by that name
root@localhost# iptables -X test
root@localhost# iptables -N test -t nat
root@localhost# iptables -A test -j DNAT --to 10.100.100.100
iptables: No chain/target/match by that name
root@localhost# iptables -A test -t net -j DNAT --to 10.100.100.100
root@localhost#


Ramin


On Mon, Jun 24, 2002 at 12:57:13PM -0700, Christian Seberino wrote:

> Ed
> 
> Thanks for the reply.  I can accept that -F is necessary
> *for every single table separately*.
> 
> User defined chains are *not* tied to specific tables
> as far as I can tell.  Is there any value in doing
> 
> iptables -t nat -X
> iptables -t mangle -X
> iptables -t filter -X
> 
> rather than just iptables -X???
> 
> Linux Firewalls book has the three line method instead if iptables -X.
> 
> Chris
> 
> 
> On Mon, Jun 24, 2002 at 02:47:50PM -0400, Ed Street wrote:
> > Hello,
> > 
> > Well first off the regular expression of Iptables -F will NOT flush the
> > specific tables i.e. nat/manglefilter.  However, if you are NOT using
> > those tables it's pointless to -F as there's nothing there.  In general
> > it's a good idea and a good habit to get into using.
> > 
> > To test your theory you need some rules in any of those three tables.
> > Do the iptables -F and then run iptables -t nat -L -n you will see the
> > rules are still there.
> > 
> > Ed
> > 
> > -----Original Message-----
> > From: netfilter-admin@lists.samba.org
> > [mailto:netfilter-admin@lists.samba.org] On Behalf Of Christian Seberino
> > Sent: Monday, June 24, 2002 2:41 PM
> > To: netfilter@lists.samba.org
> > Subject: iptables -F & iptables -X good enough *for all* tables/chains?
> > 
> > iptables -F
> > iptables -X
> > 
> > These simple 2 lines seem good enough to
> > nuke *all* rules and *all* user defined chains.....
> > 
> > Yet, in print (like Linux Firewalls book) I often
> > see people wanting to apply -F and -X to 
> > *every single table one by one*
> > 
> > (e.g. iptables -t nat    -F
> >       iptables -t filter -F
> >       iptables -t mangle -F
> >  etc.)
> > 
> > Am I missing something? My simple 2 lines above
> > seem good enough to do the trick.
> > 
> > Chris
> > -- 
> > _______________________________________
> > 
> > Dr. Christian Seberino
> > SPAWAR Systems Center San Diego
> > Code 2363
> > 53560 Hull Street
> > San Diego, CA 92152-5001
> > U.S.A.
> > 
> > Phone: (619) 553-7940
> > Fax:   (619) 553-2836
> > Email: seberino@spawar.navy.mil
> > _______________________________________
> > 
> 
> -- 
> _______________________________________
> 
> Dr. Christian Seberino
> SPAWAR Systems Center San Diego
> Code 2363
> 53560 Hull Street
> San Diego, CA 92152-5001
> U.S.A.
> 
> Phone: (619) 553-7940
> Fax:   (619) 553-2836
> Email: seberino@spawar.navy.mil
> _______________________________________

Re: iptables -F & iptables -X good enough *for all* tables/chains?

[Antony Stone]

On Monday 24 June 2002 8:57 pm, Christian Seberino wrote:

> Ed
>
> Thanks for the reply.  I can accept that -F is necessary
> *for every single table separately*.
>
> User defined chains are *not* tied to specific tables
> as far as I can tell.  Is there any value in doing
>
> iptables -t nat -X
> iptables -t mangle -X
> iptables -t filter -X
>
> rather than just iptables -X???

Depends what rules you've put into your user-define chains.

If you've only used "-t filter" rules, you only need to delete with -X, but 
if you've added some "-t nat" rules or "-t mangle" rules then you must use -X 
-t nat or -X -t mangle to delete them.

 

Antony.

Re: iptables -F & iptables -X good enough *for all* tables/chains?

[Ramin Alidousti]

On Mon, Jun 24, 2002 at 11:20:25PM +0200, Patrick Schaaf wrote:

> > User defined chains are *not* tied to specific tables
> > as far as I can tell.
> 
> Huh? User defined chains are tied to the table they are created in.
> And I sometimes hate iptables for that...

Why? Reusability? What you do in mangle is not what you do in nat is
not what you do in filter so I see little if not at all reusability.
Or maybe you have other reasons to hate it ;-)

Ramin

> best regards
>   Patrick

Re: iptables -F & iptables -X good enough *for all* tables/chains?

[Patrick Schaaf]

> User defined chains are *not* tied to specific tables
> as far as I can tell.

Huh? User defined chains are tied to the table they are created in.
And I sometimes hate iptables for that...

best regards
  Patrick

Re: Default DROP policy for mangle and nat in iptables necessary/wise?

[Christian Seberino]

Ed

I don't have any "-t mangle" rules.  Do you agree
that if I make default DROP policy for mangle table
that nothing will get thru???

The reason you can do:

>         "$IPTABLES" -t nat -P PREROUTING DROP
>         "$IPTABLES" -t nat -P POSTROUTING DROP

is because you have NAT rules that can get thru right?

Chris










> 
> 
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Christian Seberino
> Sent: Monday, June 24, 2002 2:45 PM
> To: netfilter@lists.samba.org
> Subject: Default DROP policy for mangle and nat in iptables
> necessary/wise?
> 
> Linux Firewalls book assigns a default drop policy
> to mangle and nat tables.
> 
> I could not get DROP policy to work on these
> tables and I am skeptical this serves any useful
> purpose anyway since packets must all traverse
> filter table anyway.
> 
> Is the author of Linux Firewalls on drugs or is
> this really useful somehow?? (assuming you can
> get it to work)
> 
> Chris
> 
> -- 
> _______________________________________
> 
> Dr. Christian Seberino
> SPAWAR Systems Center San Diego
> Code 2363
> 53560 Hull Street
> San Diego, CA 92152-5001
> U.S.A.
> 
> Phone: (619) 553-7940
> Fax:   (619) 553-2836
> Email: seberino@spawar.navy.mil
> _______________________________________
> 

-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

Re: Default DROP policy for mangle and nat in iptables necessary/wise?

[Ramin Alidousti]

> I don't have any "-t mangle" rules.  Do you agree
> that if I make default DROP policy for mangle table
> that nothing will get thru???

Sounds logical.

> 
> The reason you can do:
> 
> >         "$IPTABLES" -t nat -P PREROUTING DROP
> >         "$IPTABLES" -t nat -P POSTROUTING DROP
> 
> is because you have NAT rules that can get thru right?

Yes.

> Chris

Re: iptables -F & iptables -X good enough *for all* tables/chains?

[Patrick Schaaf]

> > > User defined chains are *not* tied to specific tables
> > > as far as I can tell.
> > 
> > Huh? User defined chains are tied to the table they are created in.
> > And I sometimes hate iptables for that...
> 
> Why? Reusability? What you do in mangle is not what you do in nat is
> not what you do in filter so I see little if not at all reusability.

I often have user defined chains with nothing but a list of "-s IP -j ACCEPT"
in them. In a "higher level" chain, I select on protocol and port, jumping
to such an "IP address list" chain. It sometimes happens that I need the
exact same list of IP addresses both in the filter and nat/mangle tables,
and I have to duplicate them, then.

I hate it when I have to duplicate stuff needlessly.

On the other hand, as the chains are generated (e.g. by parsing
/etc/hosts.allow), it's not a problem to handle the situation,
and iptables cannot be changed to the "slightly better" behaviour
for compatibility reasons. So don't get me wrong: this is not
a feature request.

best regards
  Patrick