Re: --policy DROP kills everything?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: David Busby <busby@edoceo.com>
To: netfilter@lists.netfilter.org
Subject: Re: --policy DROP kills everything?
Date: Wed, 08 Jun 2005 16:32:23 -0700	[thread overview]
Message-ID: <42A78007.7080504@edoceo.com> (raw)
In-Reply-To: <20050608220107.994108EDCEB@smtp.sterenborg.info>

Rob Sterenborg wrote:
> 
> Add this on top of the other INPUT rules :
> 
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 

Ok so I changed the rules to this:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

But it won't accept new connections on port 80 or 22.  The Established SSH conection is fine.
I can see new connections to port 80 or 22 in my logs, see:

IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00 SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00 
TTL=128 ID=18259 DF PROTO=TCP SPT=3704 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

IN=eth0 OUT= MAC=00:01:03:d2:db:0b:00:11:5b:50:ff:a4:08:00 SRC=192.168.42.34 DST=192.168.42.2 LEN=48 TOS=0x00 PREC=0x00 
TTL=128 ID=18526 DF PROTO=TCP SPT=3705 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

Why they don't jump to accept?  They match a rule.

So then I adjusted #1 above to this

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Doesn't that now allow any new connection to any port on any protocol making my FW worthless?
Then I tried moving the RELATED,ESTABLISHED to the last rule like this:

imperium root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4

But I still cannot get new connections in and my estabilshed SSH is still OK.

Should I not use policy DROP but add a last rule of DROP?  Which is the "right" way?
I guess I learned so far that I need to accept new and established.  But I cannot seem to get the rules to work.
I've been up and down the man page and samples but seem to be missing one more stupid little thing :(
Please help.

/djb

next prev parent reply	other threads:[~2005-06-08 23:32 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-08 21:11 --policy DROP kills everything? David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32   ` David Busby [this message]
2005-06-09  6:26     ` Rob Sterenborg
2005-06-10 18:08       ` Jason Opperisano
2005-06-10 19:13         ` specifying -m state --state NEW (Was : --policy DROP kills everything?) Rob Sterenborg
2005-06-10 19:33           ` Jason Opperisano
2005-06-10 20:31             ` Rob Sterenborg
2005-06-10 20:13           ` Jason Opperisano
2005-06-10 14:48 ` --policy DROP kills everything? Steven M Campbell
  -- strict thread matches above, loose matches on Subject: below --
2005-06-09  3:05 Ginter, Jeff A
2005-06-09 11:54 ` busby
2005-06-09  5:04   ` Gary W. Smith
2005-06-09 17:59 ` R. DuFresne
2005-06-09 18:21   ` David Busby
2005-06-09 18:36     ` Damon Gray
     [not found]       ` <42A8909E.1030104@edoceo.com>
     [not found]         ` <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>
2005-06-09 20:59           ` David Busby
2005-06-09 18:52     ` R. DuFresne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42A78007.7080504@edoceo.com \
    --to=busby@edoceo.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox