Setting a default policy does not work :(

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Setting a default policy does not work :(
@ 2003-12-02 15:33 Michael Gale
  2003-12-02 15:53 ` Ray Leach
  2003-12-02 15:53 ` Chris Brenton
  0 siblings, 2 replies; 6+ messages in thread
From: Michael Gale @ 2003-12-02 15:33 UTC (permalink / raw)
  To: netfilter

Hello,

	I have a firewall with multiple interfaces. When I try to set a default policy it does not work. I believe this is a problem with netfilter and multiple interfaces.

Example:

Inserting the following to the bottom of my firewall script:

### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
itpables -A FORWARD -j DROP

### But when adding:

iptables -A INPUT -i $EXT_FACE -j DROP
iptables -A INPUT -i $INT_FACE -j DROP
iptables -A OUTPUT -o $EXT_FACE -j DROP
iptables -A OUTPUT -o $INT_FACE -j DROP
iptables -A FORWARD -i $EXT_FACE -j DROP
iptables -A FORWARD -i $INT_FACE -j DROP

The firewall rules behave as they should only allow traffic that matches the rules and the default policy now is DROP based on the rules.

I believe the problem is caused by having multiple interfaces -- if you only have 1 interface then the default policy is applied to this interface. But if you have multiple networks cards any rule or policy that does not specify a network interface becomes a global rule .. as in (iptables -A INPUT -j DROP) and takes affect before any other rules that are based upon network interface.

So if you have these two rules in your firewall script:
iptables -A INPUT -i $EXT_FACE -j ACCEPT
iptables -A INPUT -j DROP

Even though the first rule is to accept all traffic everything would be denied because the second rule becomes like a global policy since no interface is associated with it and it actually gets checked before the packet can make it to the second rule.

-- 
Michael Gale
Network Administrator
Utilitran Corporation

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Setting a default policy does not work :(
  2003-12-02 15:33 Setting a default policy does not work :( Michael Gale
@ 2003-12-02 15:53 ` Ray Leach
  2003-12-02 15:53 ` Chris Brenton
  1 sibling, 0 replies; 6+ messages in thread
From: Ray Leach @ 2003-12-02 15:53 UTC (permalink / raw)
  To: Netfilter Mailing List

[-- Attachment #1: Type: text/plain, Size: 2341 bytes --]

On Tue, 2003-12-02 at 17:33, Michael Gale wrote:
> Hello,
> 
> 	I have a firewall with multiple interfaces. When I try to set a default policy it does not work. I believe this is a problem with netfilter and multiple interfaces.
> 
> Example:
> 
> Inserting the following to the bottom of my firewall script:
> 
> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables --policy INPUT DROP
> iptables --policy OUTPUT DROP
> iptables --policy FORWARD DROP
> 
I use
iptables -P INPUT DROP
instead and it works fine for me.
iptables 1.2.7a, kernel 2.4.20, SuSE 8.2

> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables -A INPUT -j DROP
> iptables -A OUTPUT -j DROP
> itpables -A FORWARD -j DROP
> 
> ### But when adding:
> 
> iptables -A INPUT -i $EXT_FACE -j DROP
> iptables -A INPUT -i $INT_FACE -j DROP
> iptables -A OUTPUT -o $EXT_FACE -j DROP
> iptables -A OUTPUT -o $INT_FACE -j DROP
> iptables -A FORWARD -i $EXT_FACE -j DROP
> iptables -A FORWARD -i $INT_FACE -j DROP
> 
> The firewall rules behave as they should only allow traffic that matches the rules and the default policy now is DROP based on the rules.
> 
> I believe the problem is caused by having multiple interfaces -- if you only have 1 interface then the default policy is applied to this interface. But if you have multiple networks cards any rule or policy that does not specify a network interface becomes a global rule .. as in (iptables -A INPUT -j DROP) and takes affect before any other rules that are based upon network interface.
> 
> 
> So if you have these two rules in your firewall script:
> iptables -A INPUT -i $EXT_FACE -j ACCEPT
> iptables -A INPUT -j DROP
> 
> Even though the first rule is to accept all traffic everything would be denied because the second rule becomes like a global policy since no interface is associated with it and it actually gets checked before the packet can make it to the second rule.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Setting a default policy does not work :(
  2003-12-02 15:33 Setting a default policy does not work :( Michael Gale
  2003-12-02 15:53 ` Ray Leach
@ 2003-12-02 15:53 ` Chris Brenton
  2003-12-02 16:07   ` Jeffrey Laramie
  1 sibling, 1 reply; 6+ messages in thread
From: Chris Brenton @ 2003-12-02 15:53 UTC (permalink / raw)
  To: Michael Gale; +Cc: netfilter

On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
>
> Inserting the following to the bottom of my firewall script:
> 
> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables --policy INPUT DROP
> iptables --policy OUTPUT DROP
> iptables --policy FORWARD DROP

Try:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Works for me on multiple firewalls using multiple interfaces.

> ### But when adding:
> 
> iptables -A INPUT -i $EXT_FACE -j DROP
> iptables -A INPUT -i $INT_FACE -j DROP
> iptables -A OUTPUT -o $EXT_FACE -j DROP
> iptables -A OUTPUT -o $INT_FACE -j DROP
> iptables -A FORWARD -i $EXT_FACE -j DROP
> iptables -A FORWARD -i $INT_FACE -j DROP
> 
> The firewall rules behave as they should only allow traffic that matches the rules and the default policy now is DROP based on the rules.

Actually, this does not change the policy but would rather make the last
rule in each chain a drop rule. If you moved these commands to the
beginning of your script you would have the same problem as above. Using
-P should fix your problem.

HTH,
C




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Setting a default policy does not work :(
  2003-12-02 15:53 ` Chris Brenton
@ 2003-12-02 16:07   ` Jeffrey Laramie
  2003-12-02 20:03     ` Arnt Karlsen
  0 siblings, 1 reply; 6+ messages in thread
From: Jeffrey Laramie @ 2003-12-02 16:07 UTC (permalink / raw)
  To: netfilter

On Tuesday 02 December 2003 10:53, Chris Brenton wrote:
> On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
> > Inserting the following to the bottom of my firewall script:
> >
> > ### Causes all traffic to or from the box on either interface to be
> > dropped regardless of all other rules.
> >
> > iptables --policy INPUT DROP
> > iptables --policy OUTPUT DROP
> > iptables --policy FORWARD DROP
>
> Try:
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> Works for me on multiple firewalls using multiple interfaces.
>

OK, now *I'm* confused. Aren't they the same command?

Jeff



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Setting a default policy does not work :(
  2003-12-02 16:07   ` Jeffrey Laramie
@ 2003-12-02 20:03     ` Arnt Karlsen
  2003-12-03  0:49       ` Michael Gale
  0 siblings, 1 reply; 6+ messages in thread
From: Arnt Karlsen @ 2003-12-02 20:03 UTC (permalink / raw)
  To: netfilter

On Tue, 2 Dec 2003 11:07:39 -0500, 
Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote in message 
<200312021107.39011.JALaramie@Loudoun-Fairfax.com>:

> On Tuesday 02 December 2003 10:53, Chris Brenton wrote:
> > On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
> > > Inserting the following to the bottom of my firewall script:
> > >
> > > ### Causes all traffic to or from the box on either interface to
> > > #be
> > > dropped regardless of all other rules.
> > >
> > > iptables --policy INPUT DROP
> > > iptables --policy OUTPUT DROP
> > > iptables --policy FORWARD DROP
> >
> > Try:
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > Works for me on multiple firewalls using multiple interfaces.
> >
> 
> OK, now *I'm* confused. Aren't they the same command?

..supposely, according to the man page, but if OP is using a 
development version off his own cvs tree or somesuch, all 
bets are off.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Setting a default policy does not work :(
  2003-12-02 20:03     ` Arnt Karlsen
@ 2003-12-03  0:49       ` Michael Gale
  0 siblings, 0 replies; 6+ messages in thread
From: Michael Gale @ 2003-12-03  0:49 UTC (permalink / raw)
  To: netfilter


Hello,

	Thanks for the help so far -- it must of been the location I had placed the default policy in the file or maybe some other rule. But everything is working fine now. 

Michael


On Tue, 2 Dec 2003 21:03:47 +0100
Arnt Karlsen <arnt@c2i.net> wrote:

> On Tue, 2 Dec 2003 11:07:39 -0500, 
> Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com> wrote in message 
> <200312021107.39011.JALaramie@Loudoun-Fairfax.com>:
> 
> > On Tuesday 02 December 2003 10:53, Chris Brenton wrote:
> > > On Tue, 2003-12-02 at 10:33, Michael Gale wrote:
> > > > Inserting the following to the bottom of my firewall script:
> > > >
> > > > ### Causes all traffic to or from the box on either interface to
> > > > #be
> > > > dropped regardless of all other rules.
> > > >
> > > > iptables --policy INPUT DROP
> > > > iptables --policy OUTPUT DROP
> > > > iptables --policy FORWARD DROP
> > >
> > > Try:
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT DROP
> > > iptables -P FORWARD DROP
> > >
> > > Works for me on multiple firewalls using multiple interfaces.
> > >
> > 
> > OK, now *I'm* confused. Aren't they the same command?
> 
> ..supposely, according to the man page, but if OP is using a 
> development version off his own cvs tree or somesuch, all 
> bets are off.  ;-)
> 
> -- 
> ..med vennlig hilsen = with Kind Regards from Arnt... ;-)
> ...with a number of polar bear hunters in his ancestry...
>   Scenarios always come in sets of three: 
>   best case, worst case, and just in case.
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2003-12-03  0:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-12-02 15:33 Setting a default policy does not work :( Michael Gale
2003-12-02 15:53 ` Ray Leach
2003-12-02 15:53 ` Chris Brenton
2003-12-02 16:07   ` Jeffrey Laramie
2003-12-02 20:03     ` Arnt Karlsen
2003-12-03  0:49       ` Michael Gale

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox