[Nelug] Re: [general] iptables doing unwanted logging

James Barton james.barton at blueyonder.co.uk
Thu Aug 14 13:45:01 UTC 2003


> Ok so you found the problem but note that whilst the echo may say about
> Denying UDP the LOG rule does nothing to log only UDP. ssh is done over
> tcp.

Fair point. I'm still not readin what I've written...

> why do you set the default of FORWARD to ACCEPT by default? That sounds
> like it opens up the possibility of allowing all sorts through if you
> get a rule wrong.

You're right. It was basically the end of my patience. I'd removed or
secured every application I could find on my internal network, then spent
time finding out what worked and what didn't in configuring INPUT and
OUTPUT (with whatever results...), and I simply couldn't be bothered to
fiddle with the FORWARD rules. I was having more trouble with them than
with anything else, I was unaware of any danger from external sources, and
I implicitly trust all the internal machines. But yes, it could be a lot
more secure.

> Using -d $ANYWHERE and -s $ANYWHERE aren't necessary because iptables
> defaults to these if you don't provide them. Having them there just
> makes the rule harder to read. i.e. allow loopback  could be specified
> as
>
> $IPTABLES -A INPUT -i lo -j ACCEPT

Okay.

> Not sure on the answer to this but on the
> #echo -e "Dropping other traffic to ports < 1024, monitor worm"
> rules you explictly state -i and -d. Doesn't that create a potential
> loophole because something targetted to a different -d which ends up on
> your input chain could cause trouble. i.e. your config doesn't
> explicitly say whether you've configured your IP stack to accept input
> on a different interface i.e. if I create an IP packet to your internal
> address but send it via the external address (I know that you've caught
> that earlier) then this rule wouldn't apply. Surely it is better to be
> more general and deny more unless you have a specific reason for not
> doing so.

Although I never have, it occurred to me when I was writing, that I might
want to use some services on privileged ports from internal machines, such
as telnet or finger. Since I never do, I should probably rewrite that as
you suggest.

> You have a rule
>
> # allow all else
> $IPTABLES -A INPUT -i $EXTERNAL_IF_1 -s $ANYWHERE -d $EXTERNAL_IP_1 -j
> ACCEPT
>
> which *totally* makes the next established connections rule totally
> pointless. I'm not sure that this is what you meant.

Absolutely right. No idea why that next line is there.

> Forward chain - you explicitly state both external and internal
> interfaces on the forward rules. If anyone manages to spoof routes this
> would end up being explicitly allowed by the global  FORWARD accept
> rule. I think that you would be better off with something like
>
> $IPTABLES -A FORWARD -i $EXTERNAL_IF_1 -o $INTERNAL_IF_1 -d
> $INTERNAL_NET_1 -m state --state ESTABLISHED,RELATED -j ACCEPT

That makes sense. I will give it a try.

> Side note that the next rule undoes all of the work that you have done
> in the rule above 'cos it allows everything else through!

Does it?
I thought that:
$IPTABLES -A FORWARD -i $INTERNAL_IF_1 -o $EXTERNAL_IF_1 -j ACCEPT

would allow connection to the rest of the Internet from any machine
connecting over eth1. Am I mistaken?

> Finally being totally paranoid I would probably configure the adbust and
> worry chains prior to putting them onto a chain to stop race conditions
> of people trying to circumvent them whilst the rest of the rules are
> being processed.

Never occurred to me, but it costs nothing to just change the processing
order, so I'll do that too.

> Hope this helps.

It's food for thought. Should teach me to try cut 'n' paste straight out
of the HOWTO...
thanks for the pointers,
James





More information about the Nelug mailing list