Setting a default policy does not work :(

Setting a default policy does not work :(

[Michael Gale]

Hello,

	I have a firewall with multiple interfaces. When I try to set a default policy it does not work. I believe this is a problem with netfilter and multiple interfaces.

Example:

Inserting the following to the bottom of my firewall script:

### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
itpables -A FORWARD -j DROP

### But when adding:

iptables -A INPUT -i $EXT_FACE -j DROP
iptables -A INPUT -i $INT_FACE -j DROP
iptables -A OUTPUT -o $EXT_FACE -j DROP
iptables -A OUTPUT -o $INT_FACE -j DROP
iptables -A FORWARD -i $EXT_FACE -j DROP
iptables -A FORWARD -i $INT_FACE -j DROP

The firewall rules behave as they should only allow traffic that matches the rules and the default policy now is DROP based on the rules.

I believe the problem is caused by having multiple interfaces -- if you only have 1 interface then the default policy is applied to this interface. But if you have multiple networks cards any rule or policy that does not specify a network interface becomes a global rule .. as in (iptables -A INPUT -j DROP) and takes affect before any other rules that are based upon network interface.


So if you have these two rules in your firewall script:
iptables -A INPUT -i $EXT_FACE -j ACCEPT
iptables -A INPUT -j DROP

Even though the first rule is to accept all traffic everything would be denied because the second rule becomes like a global policy since no interface is associated with it and it actually gets checked before the packet can make it to the second rule.

-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Setting a default policy does not work :(

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 2341 bytes --]

On Tue, 2003-12-02 at 17:33, Michael Gale wrote:
> Hello,
> 
> 	I have a firewall with multiple interfaces. When I try to set a default policy it does not work. I believe this is a problem with netfilter and multiple interfaces.
> 
> Example:
> 
> Inserting the following to the bottom of my firewall script:
> 
> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables --policy INPUT DROP
> iptables --policy OUTPUT DROP
> iptables --policy FORWARD DROP
> 
I use
iptables -P INPUT DROP
instead and it works fine for me.
iptables 1.2.7a, kernel 2.4.20, SuSE 8.2

> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables -A INPUT -j DROP
> iptables -A OUTPUT -j DROP
> itpables -A FORWARD -j DROP
> 
> ### But when adding:
> 
> iptables -A INPUT -i $EXT_FACE -j DROP
> iptables -A INPUT -i $INT_FACE -j DROP
> iptables -A OUTPUT -o $EXT_FACE -j DROP
> iptables -A OUTPUT -o $INT_FACE -j DROP
> iptables -A FORWARD -i $EXT_FACE -j DROP
> iptables -A FORWARD -i $INT_FACE -j DROP
> 
> The firewall rules behave as they should only allow traffic that matches the rules and the default policy now is DROP based on the rules.
> 
> I believe the problem is caused by having multiple interfaces -- if you only have 1 interface then the default policy is applied to this interface. But if you have multiple networks cards any rule or policy that does not specify a network interface becomes a global rule .. as in (iptables -A INPUT -j DROP) and takes affect before any other rules that are based upon network interface.
> 
> 
> So if you have these two rules in your firewall script:
> iptables -A INPUT -i $EXT_FACE -j ACCEPT
> iptables -A INPUT -j DROP
> 
> Even though the first rule is to accept all traffic everything would be denied because the second rule becomes like a global policy since no interface is associated with it and it actually gets checked before the packet can make it to the second rule.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Setting a default policy does not work :(

[Chris Brenton]

On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
>
> Inserting the following to the bottom of my firewall script:
> 
> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables --policy INPUT DROP
> iptables --policy OUTPUT DROP
> iptables --policy FORWARD DROP

Try:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Works for me on multiple firewalls using multiple interfaces.

> ### But when adding:
> 
> iptables -A INPUT -i $EXT_FACE -j DROP
> iptables -A INPUT -i $INT_FACE -j DROP
> iptables -A OUTPUT -o $EXT_FACE -j DROP
> iptables -A OUTPUT -o $INT_FACE -j DROP
> iptables -A FORWARD -i $EXT_FACE -j DROP
> iptables -A FORWARD -i $INT_FACE -j DROP
> 
> The firewall rules behave as they should only allow traffic that matches the rules and the default policy now is DROP based on the rules.

Actually, this does not change the policy but would rather make the last
rule in each chain a drop rule. If you moved these commands to the
beginning of your script you would have the same problem as above. Using
-P should fix your problem.

HTH,
C

Re: Setting a default policy does not work :(

[Jeffrey Laramie]

On Tuesday 02 December 2003 10:53, Chris Brenton wrote:
> On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
> > Inserting the following to the bottom of my firewall script:
> >
> > ### Causes all traffic to or from the box on either interface to be
> > dropped regardless of all other rules.
> >
> > iptables --policy INPUT DROP
> > iptables --policy OUTPUT DROP
> > iptables --policy FORWARD DROP
>
> Try:
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> Works for me on multiple firewalls using multiple interfaces.
>

OK, now *I'm* confused. Aren't they the same command?

Jeff

Re: Setting a default policy does not work :(

[Arnt Karlsen]

On Tue, 2 Dec 2003 11:07:39 -0500, 
Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote in message 
<200312021107.39011.JALaramie@Loudoun-Fairfax.com>:

> On Tuesday 02 December 2003 10:53, Chris Brenton wrote:
> > On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
> > > Inserting the following to the bottom of my firewall script:
> > >
> > > ### Causes all traffic to or from the box on either interface to
> > > #be
> > > dropped regardless of all other rules.
> > >
> > > iptables --policy INPUT DROP
> > > iptables --policy OUTPUT DROP
> > > iptables --policy FORWARD DROP
> >
> > Try:
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > Works for me on multiple firewalls using multiple interfaces.
> >
> 
> OK, now *I'm* confused. Aren't they the same command?

..supposely, according to the man page, but if OP is using a 
development version off his own cvs tree or somesuch, all 
bets are off.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Setting a default policy does not work :(

[Michael Gale]

Hello,

	Thanks for the help so far -- it must of been the location I had placed the default policy in the file or maybe some other rule. But everything is working fine now. 

Michael


On Tue, 2 Dec 2003 21:03:47 +0100
Arnt Karlsen <arnt@c2i.net> wrote:

> On Tue, 2 Dec 2003 11:07:39 -0500, 
> Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote in message 
> <200312021107.39011.JALaramie@Loudoun-Fairfax.com>:
> 
> > On Tuesday 02 December 2003 10:53, Chris Brenton wrote:
> > > On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
> > > > Inserting the following to the bottom of my firewall script:
> > > >
> > > > ### Causes all traffic to or from the box on either interface to
> > > > #be
> > > > dropped regardless of all other rules.
> > > >
> > > > iptables --policy INPUT DROP
> > > > iptables --policy OUTPUT DROP
> > > > iptables --policy FORWARD DROP
> > >
> > > Try:
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT DROP
> > > iptables -P FORWARD DROP
> > >
> > > Works for me on multiple firewalls using multiple interfaces.
> > >
> > 
> > OK, now *I'm* confused. Aren't they the same command?
> 
> ..supposely, according to the man page, but if OP is using a 
> development version off his own cvs tree or somesuch, all 
> bets are off.  ;-)
> 
> -- 
> ..med vennlig hilsen = with Kind Regards from Arnt... ;-)
> ...with a number of polar bear hunters in his ancestry...
>   Scenarios always come in sets of three: 
>   best case, worst case, and just in case.
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation