Policy, why is it doing that

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Policy, why is it doing that
@ 2003-10-16 15:37 Britt Tabor
  2003-10-17 12:24 ` Ray Leach
  0 siblings, 1 reply; 2+ messages in thread
From: Britt Tabor @ 2003-10-16 15:37 UTC (permalink / raw)
  To: netfilter

Hello,

	I have a linux (slackware) box that I am running iptables on. I have masq. on and I have only one entry in the table. I currently have the policy for FORWARD set to ACCEPT. Here's the problem, if I set the policy to DROP it drops everything. No rules are looked at before dropping it just drops everything. Here is a list of my iptables.

bash-2.05# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
bash-2.05# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

with this everything is fine but as you can tell there is no real security, because I ACCEPT all. However, if I set the policy on FORWARD to DROP everything gets dropped regardless of rule entries. Previously I used ipchains, when a packet came in it would traverse the rule entries in the FORWARD list and if it didn't match anything it would apply the policy. With iptables it seems to be doing just the opposite. When packets come in it applys the policy first.???

Is this the case? 

Britt Tabor
Edge Access, Inc.
btabor@edgeaccess.net
http://www.edgeaccess.net
813.594.6142 Voice
813.249.1126 Fax

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Policy, why is it doing that
  2003-10-16 15:37 Policy, why is it doing that Britt Tabor
@ 2003-10-17 12:24 ` Ray Leach
  0 siblings, 0 replies; 2+ messages in thread
From: Ray Leach @ 2003-10-17 12:24 UTC (permalink / raw)
  To: Netfilter Mailing List

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

On Thu, 2003-10-16 at 17:37, Britt Tabor wrote:
> Hello,
> 
> 	I have a linux (slackware) box that I am running iptables on. I have masq. on and I have only one entry in the table. I currently have the policy for FORWARD set to ACCEPT. Here's the problem, if I set the policy to DROP it drops everything. No rules are looked at before dropping it just drops everything. Here is a list of my iptables.
> 
> bash-2.05# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere           
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> bash-2.05# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination         
> MASQUERADE  all  --  anywhere             anywhere           
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> with this everything is fine but as you can tell there is no real security, because I ACCEPT all. However, if I set the policy on FORWARD to DROP everything gets dropped regardless of rule entries. Previously I used ipchains, when a packet came in it would traverse the rule entries in the FORWARD list and if it didn't match anything it would apply the policy. With iptables it seems to be doing just the opposite. When packets come in it applys the policy first.???
> 
> Is this the case? 
> 
No, what command are you using to set the policy on the forward chain?

> 
> 
> 
>  
>  
> Britt Tabor
> Edge Access, Inc.
> btabor@edgeaccess.net
> http://www.edgeaccess.net
> 813.594.6142 Voice
> 813.249.1126 Fax
>  
>  
>  
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-10-17 12:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-16 15:37 Policy, why is it doing that Britt Tabor
2003-10-17 12:24 ` Ray Leach

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox