Why does SuSEFirewall set up "ACCEPT all -- anywhere anywhere" at top of INPUT iptables chain?l

Hi

I am trying to learn a bit about iptables (and the upcoming nftables). I started by looking at what SuSEFIrewall was setting up, but this quickly led to confusion. To make sure I had not somehow messed up my own configuration, I did a fresh network install of openSUSE 13.1 with KDE in VMWare. After just installing (leaving the default “firewall on” setting in the installation process) and running zypper up, I have the following iptables rules:


# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain forward_ext (0 references)
target     prot opt source               destination         

Chain input_ext (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere             PKTTYPE = multicast
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
DROP       all  --  anywhere             anywhere            

Chain reject_func (0 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

From what I’ve read about iptables, having the rule “ACCEPT all – anywhere anywhere” at the top of the INPUT chain will accept anything, and so any rule below it will never make any difference. What am I missing here?

You need more details, and I think this will make it clear:

Code:

sudo /usr/sbin/iptables -nvL

From mine:

Code:

ab@mybox:~/Desktop> sudo /usr/sbin/iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1043K 140M ACCEPT all – lo * 0.0.0.0/0
0.0.0.0/0
2235K 1843M ACCEPT all – * * 0.0.0.0/0
0.0.0.0/0 ctstate ESTABLISHED
snip


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

While I thought your question interesting, I ttried to read through some info on the internet.
This was a quick and dirty scan, but it could be that doing an

iptables --list --verbose

shows you that that that first line acts on the device lo, which is the local loop. And that would allow all trafic on the local loop (127.0.0.1 or localhost) only.

I can not look myself, because I do not have the firewall switched on.

Thanks! You were both right, with --verbose I see that the first line is for in=lo, which clears up my confusion.