Re: DROP policy, serious vulnerability?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dE <de.techno@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: DROP policy, serious vulnerability?
Date: Thu, 19 Mar 2015 12:51:13 +0530	[thread overview]
Message-ID: <550A78E9.8040708@gmail.com> (raw)
In-Reply-To: <201503190243.44018.neal.p.murphy@alum.wpi.edu>

On 03/19/15 12:13, Neal Murphy wrote:
> On Thursday, March 19, 2015 01:51:44 AM dE wrote:
>> Hi!
>>
>> I'm using the drop policy for iptables using the following --
>>
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>> iptables -A INPUT -p tcp -j ACCEPT
>> iptables -A INPUT -p udp -j ACCEPT
>> iptables -A INPUT -p tcp ! -i lo -m multiport --dports 0:79,81:65535 -m
>> state --state NEW -j DROP
>>
>> Unfortunately, in this configuration, none of the ports get blocks.
>>
>> This implies that after an ACCEPT, further rules are not matched. Is
>> this a bug or intended by design?
>>
>> If this is by design, how am I supposed to use modules like connlimit
>> with DROP policy.
> By design. Once a packet is accepted, no more rules are processed. To do
> otherwise would be akin to continuing to execute a program after an exit()
> statement.
>
> In a mathmetical sense, netfilter rules are not commutative. Nor are they
> sorted into a most-specific to most-general order.
>
> Rules are processed in the order in which they are added. Because you added a
> rule that ACCEPTS all TCP packets before the rule that REJECTs certain TCP
> packets, the prior rule always fires on TCP packets and the latter rule never
> fires.
>
> If you want to affect specific packets, you must add such rules before you add
> the broader-reaching rules. Or you must insert such rules ahead of the broader
> rules.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Ok, thanks everyone for the quick response!

Hope this help others too.

next prev parent reply	other threads:[~2015-03-19  7:21 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-19  5:51 DROP policy, serious vulnerability? dE
2015-03-19  6:43 ` Neal Murphy
2015-03-19  7:21   ` dE [this message]
2015-03-19 11:25 ` André Paulsberg-Csibi
2015-03-19 11:34   ` Noel Kuntze

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=550A78E9.8040708@gmail.com \
    --to=de.techno@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.