Calling all OpenSuse 11.3 Firewall and iptables experts

I am in the process of enabling Samba client and server on my opensuse 11.3 32-bit workstation, and have just looked at the firewall rules (via iptables -L) prior to enabling these applications.

I have used iptables a lot before and despite having my network interface defined as being in the External Zone (ie the least trusted, and therefore supposedly the most protected), the first rules in iptables are as follows:

target=ACCEPT, prot=all, source=anywhere, dest=anywhere

target=ACCEPT, prot=all, source=anywhere, dest=anywhere

There are no qualifiers on these two rules, and each is followed by a number of other rules.
Maybe I’m missing something but don’t these two rules (the first rules in each chain) allow any input packets and any output packets? Surely this means my firewall is completely useless.

If you are an expert in opensuse 11.3 firewall design then please tell me I’m missing something. The only other thing which might be relevant is that I have been playing with Wireshark on my system to check on network traffic. I am also behind a SOHO router firewall so I’m not overly concerned about security other than the fact that my opensuse firewall is supposed to offer some degree of protection.

I must be missing something obvious. Can any firewall/iptables expert help?

Hash: SHA1

Good question. Add a -v and I think you’ll see EXACTLY what is happening.
Also, compare/contrast with the output from iptables-save to see more of
what I mean.

Hint: lo

Good luck.

Want to yell at me in person?
Come to BrainShare 2011 in October:
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Why not post the rules? In a code tag please. Perhaps you are looking at the default behaviour, which applies when no rule matches. Also filter rules are generally put in the FORWARD chain, and most installations do not have OUTPUT restrictions because it’s a hassle to enforce egress rules, though it’s good practice for best security.

Thanks ab - it’s so obvious when you add the -v. I’m beating myself up cos I really should have thought of that!!

Just to clear it up for anyone else, iptables -L doesn’t show the interface each rule applies to. If you add the -v option then the interface for each rule is shown. The first rules in the INPUT and OUTPUT chain apply only to the lo (local) interface - ie 127.0.0.x, so all packets are allowed through. So after all, I am protected!!