Results 1 to 4 of 4

Thread: Why does SuSEFirewall set up "ACCEPT all -- anywhere anywhere" at top of INPUT iptables chain?l

  1. #1

    Question Why does SuSEFirewall set up "ACCEPT all -- anywhere anywhere" at top of INPUT iptables chain?l

    Hi

    I am trying to learn a bit about iptables (and the upcoming nftables). I started by looking at what SuSEFIrewall was setting up, but this quickly led to confusion. To make sure I had not somehow messed up my own configuration, I did a fresh network install of openSUSE 13.1 with KDE in VMWare. After just installing (leaving the default "firewall on" setting in the installation process) and running zypper up, I have the following iptables rules:
    Code:
    # iptables --list
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
    input_ext  all  --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain forward_ext (0 references)
    target     prot opt source               destination         
    
    Chain input_ext (1 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
    ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    DROP       all  --  anywhere             anywhere             PKTTYPE = multicast
    DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
    LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
    DROP       all  --  anywhere             anywhere            
    
    Chain reject_func (0 references)
    target     prot opt source               destination         
    REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
    REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
    From what I've read about iptables, having the rule "ACCEPT all -- anywhere anywhere" at the top of the INPUT chain will accept anything, and so any rule below it will never make any difference. What am I missing here?

  2. #2

    Default Re: Why does SuSEFirewall set up "ACCEPT all -- anywhere anywhere"at top of INPUT iptables chain?l

    You need more details, and I think this will make it clear:

    Code:
    --------------------
    sudo /usr/sbin/iptables -nvL
    --------------------

    From mine:

    Code:
    --------------------
    ab@mybox:~/Desktop> sudo /usr/sbin/iptables -nvL
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source
    destination
    1043K 140M ACCEPT all -- lo * 0.0.0.0/0
    0.0.0.0/0
    2235K 1843M ACCEPT all -- * * 0.0.0.0/0
    0.0.0.0/0 ctstate ESTABLISHED
    *snip*
    --------------------

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,822

    Default Re: Why does SuSEFirewall set up "ACCEPT all -- anywhere anywhere" at top of INPUT iptables chain?l

    While I thought your question interesting, I ttried to read through some info on the internet.
    This was a quick and dirty scan, but it could be that doing an
    Code:
    iptables --list --verbose
    shows you that that that first line acts on the device lo, which is the local loop. And that would allow all trafic on the local loop (127.0.0.1 or localhost) only.

    I can not look myself, because I do not have the firewall switched on.
    Henk van Velden

  4. #4

    Default Re: Why does SuSEFirewall set up "ACCEPT all -- anywhere anywhere" at top of INPUT iptables chain?l

    Thanks! You were both right, with --verbose I see that the first line is for in=lo, which clears up my confusion.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •