IPtables oddities

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
jay ray
DD-WRT Novice


Joined: 01 Apr 2017
Posts: 35
PostPosted: Sat Oct 21, 2017 2:21    Post subject: IPtables oddities Reply with quote
Hello everybody. I'm finding my way around iptables for the first time and run across some things that puzzle me. This first one might be of special interest to users of DD-WRT.

Code:

root@devodd:~# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
2    ACCEPT     udp  --  anywhere             anywhere            udp dpt:route
3    ACCEPT     udp  --  anywhere             anywhere            udp dpt:route
4    ACCEPT     udp  --  anywhere             anywhere            udp dpt:route
5    ACCEPT     0    --  anywhere             anywhere
6    DROP       icmp --  anywhere             anywhere
7    DROP       igmp --  anywhere             anywhere
8    ACCEPT     0    --  anywhere             anywhere            state NEW
9    ACCEPT     0    --  anywhere             anywhere            state NEW
10   DROP       0    --  anywhere             anywhere


Okay, unpacking this leads to peculiarities. The duplicates were the first thing to stand out but they are not why I bring this up. Something about this table seems tilted. I know the order of rules is important. I thought the idea was to start at the top and work your way down, allowing or dropping specific things as you go.

From my noobish reading, this table looks like it could do away with many of the lines and possibly be exactly as functional with just one. lines 1 - 4, specific as they are, all allow something that line 5 will do anyway. Line five appears to me to let in packets from any source, going to any destination, using any protocol. That scares me a little. Lines 6 and 7 seem to want to have a say in doing some actual blocking, but since line 5 already allows everything these two should be up at the top of the table to be of any use. 8 and 9 are already covered by line 5. And what's the point of line 10 if there's nothing left to trickle down to the dumpster?

So how does all that differ from this?

Code:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
5    ACCEPT     0    --  anywhere             anywhere


Am I way off base here? Is this normal and harmless and right or is it worth the effort to straighten it out?
_________________
Netgear r8000 - DD-WRT v3.0-r46380
Back to top View user's profile Send private message
Sponsor
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC
PostPosted: Sat Oct 21, 2017 4:36    Post subject: Reply with quote
use the following instead
Code:
iptables -vnL INPUT --line-numbers
Back to top View user's profile Send private message
jay ray
DD-WRT Novice


Joined: 01 Apr 2017
Posts: 35
PostPosted: Mon Oct 23, 2017 20:39    Post subject: Reply with quote
Okay, better interface information helps clarify things a bit.
Code:

root@devodd:~# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     158K   31M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
3        0     0 ACCEPT     udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
5     256K   63M ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0
6      331 36840 DROP       icmp --  ppp0   *       0.0.0.0/0            0.0.0.0/0
7        0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0
8      111  7277 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
9        0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
10   20932 2235K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0


I'm still seeing what appears to be redundancy, granted not as much. Doesn't line 4 allow generally what lines 2 and 3 do specifically? And doesn't line 5 cover the same thing lines 3 and 9 also cover?
_________________
Netgear r8000 - DD-WRT v3.0-r46380
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum