iptables rules created by firestarter question - Ubuntu

This is a discussion on iptables rules created by firestarter question - Ubuntu ; I am reviewing the Iptables rules created for me by Firestarter and I'm having difficulty to comprehend one specific line in the INPUT chain of the Filter table. It's obvious that my understanding of Iptables chain traversing and rules matching ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: iptables rules created by firestarter question

  1. iptables rules created by firestarter question

    I am reviewing the Iptables rules created for me by Firestarter and I'm
    having difficulty to comprehend one specific line in the INPUT chain of
    the Filter table.

    It's obvious that my understanding of Iptables chain traversing and rules
    matching is incomplete, but I cannot find where I am mistaken.

    Could anybody help me with this, please?

    Below is the output of "iptables -L" command for INPUT chain with lines
    numbered. The line 5 is the one I'm having difficulty with.

    Chain INPUT (policy DROP)
    target prot opt source destination
    1. ACCEPT tcp -- 10.0.2.3 anywhere tcp flags:!FIN,SYN,RST,ACK/
    SYN
    2. ACCEPT udp -- 10.0.2.3 anywhere
    3. ACCEPT tcp -- 10.0.2.3 anywhere tcp flags:!FIN,SYN,RST,ACK/
    SYN
    4. ACCEPT udp -- 10.0.2.3 anywhere
    5. ACCEPT 0 -- anywhere anywhere
    6. ACCEPT icmp -- anywhere anywhere limit: avg 10/
    sec burst 5
    7. DROP 0 -- anywhere 255.255.255.255
    8. DROP 0 -- anywhere 10.0.2.255
    9. DROP 0 -- BASE-ADDRESS.MCAST.NET/8 anywhere
    10. DROP 0 -- anywhere BASE-ADDRESS.MCAST.NET/8
    11. DROP 0 -- 255.255.255.255 anywhere
    12. DROP 0 -- anywhere 0.0.0.0
    13. DROP 0 -- anywhere anywhere state
    INVALID
    14. LSI 0 -f anywhere anywhere limit: avg 10/min
    burst 5
    15. INBOUND 0 -- anywhere anywhere
    16. LOG_FILTER 0 -- anywhere anywhere
    17. LOG 0 -- anywhere anywhere LOG
    level info prefix `Unknown Input'

    Here is my understanding of the chain and its rules. Lines 1 to 4 filter
    packets under specified conditions. If neither of the packets matched,
    they are then evaluated by the rule specified in the line 5 (the line in
    question).

    But to me this line says:"ACCEPT any packet, with any (IP related)
    protocol, coming from any source, and going to any destination." Thus
    absolutely any packet would match it. Then, as soon the rule is matched,
    the packet get accepted and no further traversing of the chain never
    happens under any circumstances.

    But what about lines 6 to 14? Their are there but never reachable?

    There is a reference to the custom INBOUND chain down the road in the
    line 13. I could assume that this would do the rest of the job, if the
    line 5 would include a Jump instruction to it. I do not see it either.

    I am behind a router and I understand that no connection is physically
    possible to my host but from the router. But what I cannot understand is
    why this line is introduced (left?) there. What's its purpose? To create
    a whole in my firewall and prevent the INBOUND chain to be ever
    reached? :-)

    It drives me crazy. I know I'm wrong, but where?

  2. Re: iptables rules created by firestarter question

    On 2008-02-26, Vitorio Okio hit the keyboard and wrote:
    > I am reviewing the Iptables rules created for me by Firestarter and I'm
    > having difficulty to comprehend one specific line in the INPUT chain of
    > the Filter table.
    >
    > It's obvious that my understanding of Iptables chain traversing and rules
    > matching is incomplete, but I cannot find where I am mistaken.
    >
    > Could anybody help me with this, please?
    >
    > Below is the output of "iptables -L" command for INPUT chain with lines
    > numbered. The line 5 is the one I'm having difficulty with.
    >
    > Chain INPUT (policy DROP)
    > target prot opt source destination
    > 1. ACCEPT tcp -- 10.0.2.3 anywhere tcp flags:!FIN,SYN,RST,ACK/
    > SYN
    > 2. ACCEPT udp -- 10.0.2.3 anywhere
    > 3. ACCEPT tcp -- 10.0.2.3 anywhere tcp flags:!FIN,SYN,RST,ACK/
    > SYN
    > 4. ACCEPT udp -- 10.0.2.3 anywhere
    > 5. ACCEPT 0 -- anywhere anywhere


    What does the number 0 under prot (protocol) mean?
    Sometimes it means "off", can the same applied here too? If
    yes then it would mean this protocol is off. It is a long
    time since I manually set up iptables so I'm sorry that I
    can't be of more help here...




    Dragomir Kollaric
    --
    This signature is licensed under the GPL and may be
    freely distributed as long as a copy of the GPL is included... :-)


  3. Re: iptables rules created by firestarter question

    > What does the number 0 under prot (protocol) mean? Sometimes it
    > means "off", can the same applied here too? If yes then it would mean
    > this protocol is off. It is a long time since I manually set up
    > iptables so I'm sorry that I can't be of more help here...


    No, it does not mean "off" in this context.

    In /etc/protocols file it is defined as:"0 - IP - internet protocol,
    pseudo protocol number."

    Man pages for iptables say:"The number zero is equivalent to all.
    Protocol "all" will match with all protocols and is taken as default
    when this option is omitted".

  4. Re: iptables rules created by firestarter question

    On 2008-02-26, Vitorio Okio hit the keyboard and wrote:
    >> What does the number 0 under prot (protocol) mean? Sometimes it
    >> means "off", can the same applied here too? If yes then it would mean
    >> this protocol is off. It is a long time since I manually set up
    >> iptables so I'm sorry that I can't be of more help here...

    >
    > No, it does not mean "off" in this context.
    >
    > In /etc/protocols file it is defined as:"0 - IP - internet protocol,
    > pseudo protocol number."
    >
    > Man pages for iptables say:"The number zero is equivalent to all.
    > Protocol "all" will match with all protocols and is taken as default
    > when this option is omitted".


    http://www.grc.com/intro.htm

    Thanks for your response, the above link is to a Website
    where you can check the firewall settings, (scroll to
    ShieldsUP) used it just yesterday, and found that it still
    works. I started firestarter and then in "Settings" you'll
    find "ICPM" Filters after I turned that on, the test gave a
    "true stealth" result.

    Other then that I have no more hints/tips/ to offer. :-(


    Dragomir Kollaric
    --
    This signature is licensed under the GPL and may be
    freely distributed as long as a copy of the GPL is included... :-)


  5. Re: iptables rules created by firestarter question

    "Dragomir Kollaric" wrote in message
    news:20080227210952.-15@DK-Slivowitz.org.invalid...
    > http://www.grc.com/intro.htm
    >
    > Thanks for your response, the above link is to a Website
    > where you can check the firewall settings, (scroll to
    > ShieldsUP) used it just yesterday, and found that it still
    > works. I started firestarter and then in "Settings" you'll
    > find "ICPM" Filters after I turned that on, the test gave a
    > "true stealth" result.
    >
    > Other then that I have no more hints/tips/ to offer. :-(


    Thanks, I'm aware of this site. It's not the security of my box that
    I'm worrying about. I'm stealth, since I'm behind a router with NAT
    firewall enabled on it anyway.

    I'm just trying to learn Iptables better. And the line I mentioned in
    my first post does not fit my understanding of Iptables chain
    traversing and rules matching. So, its just about the learning.

    You see, Firestarter is a good firewall, with a good reputation. But
    I would like to try something else, that would give me more options
    and flexibility for my future traveling in the Linux world. And for
    this I need to gain a good grasp of Iptables first.

    At the mean time I keep reading, but so far I did not get the answer.
    :-( Unfortunately Firestarter does not have a forum, just a mailing
    list. From my experience with mailing lists they just flood me with a
    lot of unwanted e-mails with not much of help.

    Thank you for a try anyway.



  6. Re: iptables rules created by firestarter question

    On Tue, 26 Feb 2008 02:30:13 +0100, Vitorio Okio wrote:

    > I am reviewing the Iptables rules created for me by Firestarter and I'm
    > having difficulty to comprehend one specific line in the INPUT chain of
    > the Filter table.
    >
    > It's obvious that my understanding of Iptables chain traversing and rules
    > matching is incomplete, but I cannot find where I am mistaken.
    >
    > Could anybody help me with this, please?
    >
    > Below is the output of "iptables -L" command for INPUT chain with lines
    > numbered. The line 5 is the one I'm having difficulty with.
    >
    > Chain INPUT (policy DROP)
    > target prot opt source destination
    > 1. ACCEPT tcp -- 10.0.2.3 anywhere tcp flags:!FIN,SYN,RST,ACK/
    > SYN
    > 2. ACCEPT udp -- 10.0.2.3 anywhere
    > 3. ACCEPT tcp -- 10.0.2.3 anywhere tcp flags:!FIN,SYN,RST,ACK/
    > SYN
    > 4. ACCEPT udp -- 10.0.2.3 anywhere
    > 5. ACCEPT 0 -- anywhere anywhere
    > 6. ACCEPT icmp -- anywhere anywhere limit: avg 10/
    > sec burst 5
    > 7. DROP 0 -- anywhere 255.255.255.255
    > 8. DROP 0 -- anywhere 10.0.2.255
    > 9. DROP 0 -- BASE-ADDRESS.MCAST.NET/8 anywhere
    > 10. DROP 0 -- anywhere BASE-ADDRESS.MCAST.NET/8
    > 11. DROP 0 -- 255.255.255.255 anywhere
    > 12. DROP 0 -- anywhere 0.0.0.0
    > 13. DROP 0 -- anywhere anywhere state
    > INVALID
    > 14. LSI 0 -f anywhere anywhere limit: avg 10/min
    > burst 5
    > 15. INBOUND 0 -- anywhere anywhere
    > 16. LOG_FILTER 0 -- anywhere anywhere
    > 17. LOG 0 -- anywhere anywhere LOG
    > level info prefix `Unknown Input'
    >
    > Here is my understanding of the chain and its rules. Lines 1 to 4 filter
    > packets under specified conditions. If neither of the packets matched,
    > they are then evaluated by the rule specified in the line 5 (the line in
    > question).
    >
    > But to me this line says:"ACCEPT any packet, with any (IP related)
    > protocol, coming from any source, and going to any destination." Thus
    > absolutely any packet would match it. Then, as soon the rule is matched,
    > the packet get accepted and no further traversing of the chain never
    > happens under any circumstances.
    >
    > But what about lines 6 to 14? Their are there but never reachable?
    >
    > There is a reference to the custom INBOUND chain down the road in the
    > line 13. I could assume that this would do the rest of the job, if the
    > line 5 would include a Jump instruction to it. I do not see it either.
    >
    > I am behind a router and I understand that no connection is physically
    > possible to my host but from the router. But what I cannot understand is
    > why this line is introduced (left?) there. What's its purpose? To create
    > a whole in my firewall and prevent the INBOUND chain to be ever
    > reached? :-)
    >
    > It drives me crazy. I know I'm wrong, but where?


    Try "iptables -L -v"

    There is some restriction on the rule (perhaps it is only for the
    loopback interface?) that is not showing up on the "-L" listing.
    Specifying "-v" gives an expanded listing.

    --
    MarkA
    Chairperson,
    EAC Department of Redundancy Department


  7. Re: iptables rules created by firestarter question

    On Thu, 28 Feb 2008 15:04:15 -0500, MarkA wrote:

    > Try "iptables -L -v"
    >
    > There is some restriction on the rule (perhaps it is only for the
    > loopback interface?) that is not showing up on the "-L" listing.
    > Specifying "-v" gives an expanded listing.


    Bingo! It is indeed only for the loopback interface. And you are right, I
    simply couldn't see it without -v option.

    Now it all makes sense to me. I thank you very much for your help.

  8. Re: iptables rules created by firestarter question

    On 2008-02-28, Vitorio Okio hit the keyboard and wrote:
    > On Thu, 28 Feb 2008 15:04:15 -0500, MarkA wrote:
    >
    >> Try "iptables -L -v"
    >>
    >> There is some restriction on the rule (perhaps it is only for the
    >> loopback interface?) that is not showing up on the "-L" listing.
    >> Specifying "-v" gives an expanded listing.

    >
    > Bingo! It is indeed only for the loopback interface. And you are right, I
    > simply couldn't see it without -v option.


    Not really a help, but in most cases "-v" on the
    command-line will give a "verbose" output. Next time you run
    into a command-line issue, you could use "-v". Most likely
    I'm pointing out the obvious to you *now* :-)

    >
    > Now it all makes sense to me. I thank you very much for your help.



    Dragomir Kollaric
    --
    This signature is licensed under the GPL and may be
    freely distributed as long as a copy of the GPL is included... :-)


  9. Re: iptables rules created by firestarter question

    On Thu, 28 Feb 2008 23:16:18 +0100, Vitorio Okio wrote:

    > On Thu, 28 Feb 2008 15:04:15 -0500, MarkA wrote:
    >
    >> Try "iptables -L -v"
    >>
    >> There is some restriction on the rule (perhaps it is only for the
    >> loopback interface?) that is not showing up on the "-L" listing.
    >> Specifying "-v" gives an expanded listing.

    >
    > Bingo! It is indeed only for the loopback interface. And you are right, I
    > simply couldn't see it without -v option.
    >
    > Now it all makes sense to me. I thank you very much for your help.


    No problema. I have a vague memory of puzzling over that very issue once
    myself, a few years ago. So many puzzling issues ago...

    --
    MarkA
    (insert clever sig line here)


+ Reply to Thread