Adding a rule to a iptable custom chain - Security

This is a discussion on Adding a rule to a iptable custom chain - Security ; Let's say I have a redhat box acting like a firewall. It has iptables setup with a custom chain called, say, bob. Now, I would like to add a rule to that chain, say, something like this: iptables -A bob ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Adding a rule to a iptable custom chain

  1. Adding a rule to a iptable custom chain

    Let's say I have a redhat box acting like a firewall. It has iptables
    setup with a custom chain called, say, bob. Now, I would like to add a
    rule to that chain, say, something like this:

    iptables -A bob -s 128.227.8.12 -p all -j DROP

    What I want to do is block any traffic from that host going through the
    firewall. I check if the rule is seen

    iptables -L bob --line-numbers

    and see the rule there, as
    num target prot opt source destination
    [...]
    16 DROP all -- 128.227.8.12 anywhere

    So, I go to the said host and then ssh to a machine behind the firewall.
    I have not problem ssh'ing in. What am I missing here?

    --
    Mauricio raub-kudria-com
    (if you need to email me, use this address =)

  2. Re: Adding a rule to a iptable custom chain

    On Mon, 13 Nov 2006 14:36:50 -0500, Mauricio Tavares wrote:

    > Let's say I have a redhat box acting like a firewall. It has iptables
    >setup with a custom chain called, say, bob. Now, I would like to add a
    >rule to that chain, say, something like this:
    >
    >iptables -A bob -s 128.227.8.12 -p all -j DROP
    >
    >What I want to do is block any traffic from that host going through the
    >firewall. I check if the rule is seen
    >
    >iptables -L bob --line-numbers
    >
    >and see the rule there, as
    >num target prot opt source destination
    >[...]
    >16 DROP all -- 128.227.8.12 anywhere
    >
    >So, I go to the said host and then ssh to a machine behind the firewall.
    > I have not problem ssh'ing in. What am I missing here?


    Which filter chain 'calls' bob, INPUT or FORWARD?

    Grant.
    --
    http://bugsplatter.mine.nu/

  3. Re: Adding a rule to a iptable custom chain

    Mauricio Tavares said:
    > Let's say I have a redhat box acting like a firewall. It has iptables
    >setup with a custom chain called, say, bob. Now, I would like to add a
    >rule to that chain, say, something like this:
    >
    >iptables -A bob -s 128.227.8.12 -p all -j DROP
    >
    >What I want to do is block any traffic from that host going through the
    >firewall. I check if the rule is seen
    >
    >iptables -L bob --line-numbers
    >
    >and see the rule there, as
    >num target prot opt source destination
    >[...]
    >16 DROP all -- 128.227.8.12 anywhere
    >
    >So, I go to the said host and then ssh to a machine behind the firewall.
    > I have not problem ssh'ing in. What am I missing here?


    - is anything at all calling the 'bob' chain from 'INPUT' chain?
    - is something in the processing order (starting from the first rule in
    the 'INPUT' chain going up to the line 16 in the 'bob' chain, if it
    is even called) ACCEPTing the packet before the point where you attempt
    to DROP it?

    So, when a packet comes in, it will first be processed by the first rule
    in the INPUT chain. Then the next in the INPUT chain (or if the first rule
    was a jump to another chain, then at the first rule of the other chain),
    and so on. When a chain other than INPUT ends, the processing will resume
    with the next rule in the calling chain. When INPUT chain ends, then
    the chain policy will be applied. The first _terminal_ rule (ACCEPT, REJECT
    or DROP) that the packet matches with this processing order is the one
    that will be applied to the packet.

    A simple example -- start with completely empty INPUT table;
    add rules (in this order) to DROP and to ACCEPT every packet. Result:
    all packets will be DROPped. Change the order of the rules (f.ex. delete
    and append the DROP rule). Result: all packets will be ACCEPTed.
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)

+ Reply to Thread