question about table filter, nat and mangle with chain default policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* question about table filter, nat and mangle with chain default policy
@ 2009-04-12  6:32 my mail
  2009-04-12  7:11 ` Mart Frauenlob
  0 siblings, 1 reply; 4+ messages in thread
From: my mail @ 2009-04-12  6:32 UTC (permalink / raw)
  To: netfilter


I have rule like this

----- rule iptables -----
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
# Delete any user defined chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# Reset default policy to ACCEPT
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy INPUT ACCEPT
$IPT -t mangle --policy FORWARD ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT

# Unlimited traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Default policy to DROP
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
#$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
#$IPT -t nat --policy POSTROUTING DROP
#$IPT -t mangle --policy PREROUTING DROP
#$IPT -t mangle --policy INPUT DROP
#$IPT -t mangle --policy FORWARD DROP
#$IPT -t mangle --policy OUTPUT DROP
#$IPT -t mangle --policy POSTROUTING DROP

# For SSH Connection into Firewall
$IPT -A INPUT -i $LAN_IF -p tcp --sport $SSH_PORTS -d $IPADDR --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $LAN_IF -p tcp ! --syn -s $IPADDR --sport 22 --dport $SSH_PORTS -m state --state ESTABLISHED -j ACCEPT

---------- end rule --------------

this rule ok, because i can ssh-ing into this machine. But if i remove the # from default policy like this

# Default policy to DROP
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy INPUT DROP
$IPT -t mangle --policy FORWARD DROP
$IPT -t mangle --policy OUTPUT DROP
$IPT -t mangle --policy POSTROUTING DROP

i can't ssh-ing into this machine. so is the ssh using nat and mangle table to connect into this machine?
i litle bit confuse about this, why i can ssh-ing into this machine when i drop the nat and mangle table.

thx in advance for your help


      


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: question about table filter, nat and mangle with chain default policy
  2009-04-12  6:32 question about table filter, nat and mangle with chain default policy my mail
@ 2009-04-12  7:11 ` Mart Frauenlob
  0 siblings, 0 replies; 4+ messages in thread
From: Mart Frauenlob @ 2009-04-12  7:11 UTC (permalink / raw)
  To: netfilter

my mail wrote:
> I have rule like this
>
> ----- rule iptables -----
> # Remove any existing rules from all chains
> $IPT --flush
> $IPT -t nat --flush
> $IPT -t mangle --flush
> # Delete any user defined chains
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> # Reset default policy to ACCEPT
> $IPT --policy INPUT ACCEPT
> $IPT --policy OUTPUT ACCEPT
> $IPT --policy FORWARD ACCEPT
> $IPT -t nat --policy PREROUTING ACCEPT
> $IPT -t nat --policy OUTPUT ACCEPT
> $IPT -t nat --policy POSTROUTING ACCEPT
> $IPT -t mangle --policy PREROUTING ACCEPT
> $IPT -t mangle --policy INPUT ACCEPT
> $IPT -t mangle --policy FORWARD ACCEPT
> $IPT -t mangle --policy OUTPUT ACCEPT
> $IPT -t mangle --policy POSTROUTING ACCEPT
>
> # Unlimited traffic on the loopback interface
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A OUTPUT -o lo -j ACCEPT
>
> # Default policy to DROP
> $IPT --policy INPUT DROP
> $IPT --policy OUTPUT DROP
> $IPT --policy FORWARD DROP
> #$IPT -t nat --policy PREROUTING DROP
> $IPT -t nat --policy OUTPUT DROP
> #$IPT -t nat --policy POSTROUTING DROP
> #$IPT -t mangle --policy PREROUTING DROP
> #$IPT -t mangle --policy INPUT DROP
> #$IPT -t mangle --policy FORWARD DROP
> #$IPT -t mangle --policy OUTPUT DROP
> #$IPT -t mangle --policy POSTROUTING DROP
>
> # For SSH Connection into Firewall
> $IPT -A INPUT -i $LAN_IF -p tcp --sport $SSH_PORTS -d $IPADDR --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> $IPT -A OUTPUT -o $LAN_IF -p tcp ! --syn -s $IPADDR --sport 22 --dport $SSH_PORTS -m state --state ESTABLISHED -j ACCEPT
>
> ---------- end rule --------------
>
> this rule ok, because i can ssh-ing into this machine. But if i remove the # from default policy like this
>
> # Default policy to DROP
> $IPT --policy INPUT DROP
> $IPT --policy OUTPUT DROP
> $IPT --policy FORWARD DROP
> $IPT -t nat --policy PREROUTING DROP
> $IPT -t nat --policy OUTPUT DROP
> $IPT -t nat --policy POSTROUTING DROP
> $IPT -t mangle --policy PREROUTING DROP
> $IPT -t mangle --policy INPUT DROP
> $IPT -t mangle --policy FORWARD DROP
> $IPT -t mangle --policy OUTPUT DROP
> $IPT -t mangle --policy POSTROUTING DROP
>
> i can't ssh-ing into this machine. so is the ssh using nat and mangle table to connect into this machine?
> i litle bit confuse about this, why i can ssh-ing into this machine when i drop the nat and mangle table.
>
> thx in advance for your help
>   
Don't set the policy to DROP in mangle and nat table.
Put the drop policy only in filter table.

greets

Mart

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: question about table filter, nat and mangle with chain default policy
@ 2009-04-12 10:00 my mail
  2009-04-12 11:40 ` Amos Jeffries
  0 siblings, 1 reply; 4+ messages in thread
From: my mail @ 2009-04-12 10:00 UTC (permalink / raw)
  To: netfilter



--- On Sun, 4/12/09, Mart Frauenlob <mart.frauenlob@chello.at> wrote:

From: Mart Frauenlob <mart.frauenlob@chello.at>
Subject: Re: question about table filter, nat and mangle with chain default policy
To: netfilter@vger.kernel.org
Date: Sunday, April 12, 2009, 7:11 AM

>   
> Don't set the policy to DROP in mangle and nat table.
> Put the drop policy only in filter table.

> greets

> Mart

thanks for your help, but why i can't set policy DROPT in mangle and nat table?
is the mangle and nat table share chain with filter table or why?

because as i remember process from INPUT will not pass the rule for OUTPUT and FORWARD

it's right or i have wrong from understand the iptables rule?

thx again...


      


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: question about table filter, nat and mangle with chain default policy
  2009-04-12 10:00 my mail
@ 2009-04-12 11:40 ` Amos Jeffries
  0 siblings, 0 replies; 4+ messages in thread
From: Amos Jeffries @ 2009-04-12 11:40 UTC (permalink / raw)
  To: my mail; +Cc: netfilter

my mail wrote:
> 
> --- On Sun, 4/12/09, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
> 
> From: Mart Frauenlob <mart.frauenlob@chello.at>
> Subject: Re: question about table filter, nat and mangle with chain default policy
> To: netfilter@vger.kernel.org
> Date: Sunday, April 12, 2009, 7:11 AM
> 
>>    
>> Don't set the policy to DROP in mangle and nat table.
>> Put the drop policy only in filter table.
> 
>> greets
> 
>> Mart
> 
> thanks for your help, but why i can't set policy DROPT in mangle and nat table?
> is the mangle and nat table share chain with filter table or why?
> 
> because as i remember process from INPUT will not pass the rule for OUTPUT and FORWARD
> 
> it's right or i have wrong from understand the iptables rule?
> 
> thx again...
> 

The packet flows diagram can explain a lot more than any amount of text:
  http://l7-filter.sourceforge.net/PacketFlow.png

... now imagine that the boxes labled mangle::PREROUTING  and 
nat::PREROUTING had a DROP for all packets.

Which is configured like this:
  $IPT -t mangle --policy PREROUTING DROP
  $IPT -t nat --policy PREROUTING DROP


AYJ

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2009-04-12 11:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-12  6:32 question about table filter, nat and mangle with chain default policy my mail
2009-04-12  7:11 ` Mart Frauenlob
  -- strict thread matches above, loose matches on Subject: below --
2009-04-12 10:00 my mail
2009-04-12 11:40 ` Amos Jeffries

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.