Help understanding iptables -L

Support for security such as Firewalls and securing linux
Post Reply
Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Help understanding iptables -L

Post by Spork Schivago » 2018/10/19 16:58:20

Hi!

I have a server I am running and I struggle a little bit understanding iptables. Currently, I would like to deny all traffic coming from the outside my private network (unless I make the connection), and I'd like to open one port for a daemon I'm running, but only allow connections from the local area network.

I type iptables -L to view the firewall rules:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  anywhere             anywhere            
FWDI_public_deny  all  --  anywhere             anywhere            
FWDI_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  anywhere             anywhere            
FWDO_public_deny  all  --  anywhere             anywhere            
FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  anywhere             anywhere            
IN_public_deny  all  --  anywhere             anywhere            
IN_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination 
Those chains are where I get confused and have a hard time following. The way I'm reading it is right now, I'm accepting ssh traffic from outside the network on port 22. I believe I'd have to change that. I'd have to delete the IN_public_allow rule for the ssh client and then add the rule to the INPUT chain. Is that correct?

I look at the INPUT chain and see I'm allowing domain and bootp traffic. I have a DHCP server running on the network, but my addresses on this server are configured manually. I will be setting up a PXE server but have little experience in booting images over the network. From what I've read though, I wouldn't need the bootp ports open on the firewall. I'd just need to open the PXE server ports (maybe port 4011 UDP, 3928 TCP, 3928 UDP).

I see in the INPUT chain, after I accept incoming established connections, the following rule:

Code: Select all

ACCEPT     all  --  anywhere             anywhere
Does that mean I am accepting all traffic from anywhere? If not, could someone help me understand this a little bit more?
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

User avatar
TrevorH
Forum Moderator
Posts: 23884
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Help understanding iptables -L

Post by TrevorH » 2018/10/19 18:22:27

It's ever so much easier to read if you post the output from the iptables-save command. Despite its name it just prints the rules to stdout.

Oh, and all those rules make it look like you're running firewalld in which case you should not be fiddling with the rules behind its back with iptables. Firewalld "knows" how the rules should be and if it finds rules present that it didn't add then it will remove them. It'll also put them back again if you remove ones it think should be there. To manipulate firewalld rules you should use the firewall-cmd command.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Help understanding iptables -L

Post by Spork Schivago » 2018/10/19 22:31:27

TrevorH wrote:
2018/10/19 18:22:27
It's ever so much easier to read if you post the output from the iptables-save command. Despite its name it just prints the rules to stdout.

Oh, and all those rules make it look like you're running firewalld in which case you should not be fiddling with the rules behind its back with iptables. Firewalld "knows" how the rules should be and if it finds rules present that it didn't add then it will remove them. It'll also put them back again if you remove ones it think should be there. To manipulate firewalld rules you should use the firewall-cmd command.
Thank you for that tidbit. With the iptables-save command, I could redirect to a file and easily modify a rule by hand editing it, and then using iptables-restore, correct?

Here is the output from iptables-save.

Code: Select all

# Generated by iptables-save v1.4.21 on Fri Oct 19 18:22:01 2018
*nat
:PREROUTING ACCEPT [9896:494909]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [61470:4349911]
:POSTROUTING ACCEPT [61470:4349911]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o eno1 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i eno1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Fri Oct 19 18:22:01 2018
# Generated by iptables-save v1.4.21 on Fri Oct 19 18:22:01 2018
*mangle
:PREROUTING ACCEPT [594943:207835095]
:INPUT ACCEPT [594943:207835095]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [535847:51029046]
:POSTROUTING ACCEPT [535956:51041027]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eno1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Fri Oct 19 18:22:01 2018
# Generated by iptables-save v1.4.21 on Fri Oct 19 18:22:01 2018
*security
:INPUT ACCEPT [584913:207327312]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [535879:51033131]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct 19 18:22:01 2018
# Generated by iptables-save v1.4.21 on Fri Oct 19 18:22:01 2018
*raw
:PREROUTING ACCEPT [594975:207839789]
:OUTPUT ACCEPT [535879:51033131]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i eno1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Fri Oct 19 18:22:01 2018
# Generated by iptables-save v1.4.21 on Fri Oct 19 18:22:01 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [535847:51029046]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i eno1 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o eno1 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i eno1 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Fri Oct 19 18:22:01 2018
The iptables-save command seems to produce even more confusing results for me. For example,

Code: Select all

*mangle
:PREROUTING ACCEPT [594943:207835095]
:INPUT ACCEPT [594943:207835095]
Is *mangle a table? I believe it is, from doing a google search. However, from iptables-save, it's not clear what packets I'm mangling, nor is it clear what those numbers after the PREROUTING ACCEPT mean. I am modifying all outgoing packets on the virbr0 by changing the packets checksum? Please correct me if I'm wrong, PREROUTING is a chain that is in various tables, including raw, nat, and mangle. Is that correct?
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

User avatar
TrevorH
Forum Moderator
Posts: 23884
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Help understanding iptables -L

Post by TrevorH » 2018/10/19 23:02:22

Are you 100% sure you're not running firewalld? Those rules look like the ones that it generates - about 500 of them to do what iptables would do in 20!

If you are running plain iptables rather than firewalld then you run service iptables save to save the running rules. Those go to /etc/sysconfig/iptables and are restored from there on reboot/restart. If you're running firewalld then it stashes its rules somewhere else entirely.

As for what mangle does, run man iptables and search for mangle. It's in the section that describes the various tables.

The numbers in square brackets are packet:byte counts for the rules that have matched or for the entire table.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Help understanding iptables -L

Post by Spork Schivago » 2018/10/19 23:05:07

I found an article on digital ocean, https://www.digitalocean.com/community/ ... chitecture

It provides answers to a lot of my questions. For the ssh connection, I'd want it in the INPUT chain and the filter table. So now I can look at the iptables firewall and follow the packets logically as they enter the firewall. Thank you for the information on the packet:byte counts.

firewalld is installed and running. I would like to remove it and use just iptables, but I am not knowledgeable enough to securely setup a secure iptables firewall from scratch yet.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Help understanding iptables -L

Post by Spork Schivago » 2018/10/19 23:09:30

Would something like this be a secured start?

Code: Select all

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport <my sshd port> --source 192.168.2.0/24 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

I used that rule, where <my SSH PORT> is the port my ssh daemon is listening on (and I verified it's actually listening using netstat -plant), but for some reason, I cannot connect using the local area network via SSH anymore.

The /var/log/secure just shows ssh is listening on that port. I have keyboard authentication disabled, so I might temporarily reenable keyboard authentication, just for trouble shooting purposes. Does that look like a good start though? Do you guys see anything wrong? Here is my ip6tables:

Code: Select all

# sample configuration for ip6tables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport <my sshd port> --source <4 bytes, in hexadecimal, my public IPv6 range>::/56 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
Last edited by Spork Schivago on 2018/10/25 17:15:50, edited 1 time in total.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Help understanding iptables -L

Post by Spork Schivago » 2018/10/20 03:01:49

I figured out the ssh port stuff. Does that iptables rules look good?
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

User avatar
TrevorH
Forum Moderator
Posts: 23884
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Help understanding iptables -L

Post by TrevorH » 2018/10/20 10:20:21

The top set? They look fairly nearly identical to the default rules you get when you install using iptables-services in the first place.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2018
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Help understanding iptables -L

Post by jlehtone » 2018/10/25 12:04:09

Spork Schivago wrote:
2018/10/19 16:58:20
I type iptables -L to view the firewall rules:
Side-note:

IMHO, that command is "too much human-friendly". Too prompt.
It can be more verbose:

Code: Select all

iptables --lin -vnL
iptables -t nat --lin -vnL
iptables -t mangle --lin -vnL
On good side, you can limit output to single chain.
On down side, output is not in the syntax that iptables requires.

The 'iptables-save' dumps everything. Most in proper syntax.

Then there is

Code: Select all

iptables -S
iptables -t nat -S
iptables -t mangle -S
In proper syntax and you can list a single chain.
(The -S is a later addition.)

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: Help understanding iptables -L

Post by Spork Schivago » 2018/10/25 17:14:55

TrevorH wrote:
2018/10/20 10:20:21
The top set? They look fairly nearly identical to the default rules you get when you install using iptables-services in the first place.
Yes, I disabled firewalld and installed the iptables-services and ip6tables-services, then modified the default rules. To me, they look pretty secure and seem to accomplish what I want. Do you or anyone else see any problems with the rules I posted? Is there something missing that I should include? I'd think CentOS's iptables-services would probably include a pretty secure default policy to begin with. Allow all outgoing traffic, only accept incoming if it's established...I just had to modify to suit my ssh needs.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

Post Reply