[KLUG Members] IPTables question
Mike Williams
members@kalamazoolinux.org
Thu, 20 Feb 2003 15:39:41 -0500
Hopefully, somebody can explain this to me. I have a general
understanding of the syntax for IPTables, but there's clearly something
I'm missing. As I understand it, you go down the chain, and once you
match a rule, that rule is applied (drop or accept), and you stop.
Right in the middle of the RH-Lokkit-0-5-INPUT (which I think is where
INPUT dumps everything), is the line "ACCEPT all -- anywhere anywhere."
Why doesn't this negate the REJECT lines below it, and make irrelevant
all the ACCEPT lines above it?
Complete "iptables --list" dump follows, with commentary after that.
[root@moore root]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- moore.local anywhere udp
spt:domain dpts:1025:65535
ACCEPT tcp -- 192.168.40.0/24 anywhere tcp
flags:SYN,RST,ACK/SYN
ACCEPT all -- 192.168.40.0/24 anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
flags:SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere udp dpt:15353
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
flags:SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere udp
spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp
spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp
dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp
dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs
reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
192.168.40.1 is the local IP, and the Class C LAN is assumed
trustworthy. The dpt:15353 in line 5 is for a DDNS service. I DO run a
public webserver, so line 4 is not a mistake. I'm not sure where line 1
came from, and if I do iptables-restore from sysconfig it goes away.