[KLUG Members] IPTables question

Mike Williams members@kalamazoolinux.org
Thu, 20 Feb 2003 15:39:41 -0500

Previous message: [KLUG Members] RE:RE: RJ45 Surge suppression
Next message: [KLUG Members] IPTables question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hopefully, somebody can explain this to me.  I have a general 
understanding of the syntax for IPTables, but there's clearly something 
I'm missing.  As I understand it, you go down the chain, and once you 
match a rule, that rule is applied (drop or accept), and you stop. 
 Right in the middle of the RH-Lokkit-0-5-INPUT (which I think is where 
INPUT dumps everything), is the line "ACCEPT all -- anywhere  anywhere." 
 Why doesn't this negate the REJECT lines below it, and make irrelevant 
all the ACCEPT lines above it?  

Complete "iptables --list" dump follows, with commentary after that.

[root@moore root]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  moore.local          anywhere           udp 
spt:domain dpts:1025:65535
ACCEPT     tcp  --  192.168.40.0/24      anywhere           tcp 
flags:SYN,RST,ACK/SYN
ACCEPT     all  --  192.168.40.0/24      anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http 
flags:SYN,RST,ACK/SYN
ACCEPT     udp  --  anywhere             anywhere           udp dpt:15353
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
flags:SYN,RST,ACK/SYN
ACCEPT     udp  --  anywhere             anywhere           udp 
spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             anywhere           udp 
spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere           tcp 
dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nfs 
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp 
dpts:0:1023 reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpt:nfs 
reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp 
dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:xfs 
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

192.168.40.1 is the local IP, and the Class C LAN is assumed 
trustworthy.  The dpt:15353 in line 5 is for a DDNS service.  I DO run a 
public webserver, so line 4 is not a mistake.  I'm not sure where line 1 
came from, and if I do iptables-restore from sysconfig it goes away.

Previous message: [KLUG Members] RE:RE: RJ45 Surge suppression
Next message: [KLUG Members] IPTables question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]