default policy

default policy

[Rob]

I have been looking at several scripts checking the default policies on
them.
Some include items that others don't.  Oscars tutorial doesn't cover all of
these compared to Ziegler's book.  I have been wondering if the following
covers ALL built-in chains?
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

Ziegler's book states that it should be this (it was never put in these
words but this is what I am gathering from my reading):
iptables -t nat    -P PREROUTING  DROP
iptables -t nat    -P OUTPUT      DROP
iptables -t nat    -P POSTROUTING DROP
iptables -t mangle -P PREROUTING  DROP
iptables -t mangle -P OUTPUT      DROP
iptables -t filter -P INPUT       DROP
iptables -t filter -P OUTPUT      DROP
iptables -t filter -P FORWARD     DROP

The last seems to be the most thorough but i cant find anywhere that covers
this in detail.
Are these all of the built-in chains?


Robert Wideman

Re: default policy

[Robert P. J. Day]

On Thu, 31 Oct 2002, Rob wrote:

> I have been looking at several scripts checking the default policies on
> them.
> Some include items that others don't.  Oscars tutorial doesn't cover all of
> these compared to Ziegler's book.  I have been wondering if the following
> covers ALL built-in chains?
> iptables -P INPUT   DROP
> iptables -P OUTPUT  DROP
> iptables -P FORWARD DROP

nope, only for the filter table.
 
> Ziegler's book states that it should be this (it was never put in these
> words but this is what I am gathering from my reading):
> iptables -t nat    -P PREROUTING  DROP
> iptables -t nat    -P OUTPUT      DROP
> iptables -t nat    -P POSTROUTING DROP
> iptables -t mangle -P PREROUTING  DROP
> iptables -t mangle -P OUTPUT      DROP
> iptables -t filter -P INPUT       DROP
> iptables -t filter -P OUTPUT      DROP
> iptables -t filter -P FORWARD     DROP

while this is missing the newer chains in the mangle table, the
bigger issue is what it even means to put DROP policies on chains
in the nat and mangle tables.

apparently, it's legal -- i tried it and it took the policy
assignment.  i just have no idea what it means to do this.

rday

Default policy

[system]

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

Hi All,

Following is the policy that my firewall generation script gives, but my system hangs when i execute this, I am using ssh to execute this script. I am opening all other required ports. When I comment the last two lines my script works fine.

******Script*******

#Set default policies to DROP 

$IPTABLES -F INPUT 
$IPTABLES -F OUTPUT 
$IPTABLES -F FORWARD 
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP 
$IPTABLES -P FORWARD DROP

# Rejecting all Packets

#$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
#$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp -j DROP

Can anyone help me.

thanks in advance.

Regards,


[-- Attachment #2: Type: text/html, Size: 1541 bytes --]

RE: Default policy

[Rob Sterenborg]

> Following is the policy that my firewall generation script
> gives, but my system hangs when i execute this, I am using
> ssh to execute this script. I am opening all other required
> ports. When I comment the last two lines my script works fine.
>
> ******Script*******
>
> #Set default policies to DROP
>
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>

This ok.
This will drop everything you didn't ACCEPT or REJECT or something.

> # Rejecting all Packets
>
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp -j DROP

If you have this in front of the other rules, nothing will reach the
other rules and you just killed (not only) your ssh connection. Not
even on lo (127.0.0.1).
You already have default policy DROP : just put in the ACCEPT and
other rules you need.


Rob

Re: Default policy

[Giorgio Zarrelli]

On Saturday 21 December 2002 14:16, you wrote:

> Hi All,
>
> Following is the policy that my firewall generation script gives, but my
> system hangs when i execute this, I am using ssh to execute this script. I
> am opening all other required ports. When I comment the last two lines my
> script works fine.
>
> ******Script*******
>
> #Set default policies to DROP
>
> $IPTABLES -P INPUT DROP
>
> # Rejecting all Packets
>
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp -j DROP

Ssh hangs because you drop all packets on tcp from and to everywhere.. So, 
your connection to the server is being cut. But policies like yours make no 
sens.

Regards

Giorgio Zarrelli

Re: default policy

[Ralf Spenneberg]

Am Die, 2003-08-26 um 10.35 schrieb Payal Rathod:
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
> 
> $IPTABLES -t nat -A POSTROUTING -j MASQUERADE
> 
> $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
> 
> When I make FORWARD POLICY as ACCEPT it works, but not when I make it
> to DROP? Is there any bad rule anywhere?
Yes, apply masquerading only to the external interface, like
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
If 125.125.125.0 is your internal ip-range you should be able to browse
to:
http://217.160.128.61
But since you do not allow any DNS traffic you can't resolve any
hostnames.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: default policy

[Payal Rathod]

On Mon, Aug 25, 2003 at 10:59:42AM +0200, Ralf Spenneberg wrote:
> Am Die, 2003-08-26 um 10.35 schrieb Payal Rathod:
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -P FORWARD DROP
> > 
> > $IPTABLES -t nat -A POSTROUTING -j MASQUERADE
> > 
> > $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
> > $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
> > 
> > When I make FORWARD POLICY as ACCEPT it works, but not when I make it
> > to DROP? Is there any bad rule anywhere?
> Yes, apply masquerading only to the external interface, like
> $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Both the ips are connected to real world. One is connected to the ISDN
router (internal ip) and the other to lease line.
Some people use ISDN route some lease line route.
I have 1 default gateway for each interface.
Is this OK?

> If 125.125.125.0 is your internal ip-range you should be able to browse
> to:
> http://217.160.128.61
> But since you do not allow any DNS traffic you can't resolve any
> hostnames.
> 

Yes I releasied that. I have added tcp and udp for dns too.
Waiting for the mail.
With regards,
-Payal

-- 
For GNU/Linux Success Stories and Articles visit:
          http://payal.staticky.com

default policy

[Payal Rathod]

Hi,
I am trying a routing firewall which will route internal machines to
internet as well as redirect machines from outside to 1 ftp server
inside.

But I am not able to get even the first part working.
I use policy as default on FORWARD and,


$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

$IPTABLES -A INPUT -p tcp -s 0/0  --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0  --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT

$IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT

When I make FORWARD POLICY as ACCEPT it works, but not when I make it
to DROP? Is there any bad rule anywhere?
Is the MASQUERADE rule ok? (Traffic is coming form 2 interfaces).
Is the ESTABLISHED,RELATED rule ok and at right position?

Please help me in this.
Thanks a lot and bye.
With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.