Why are packages being rejected even through there’s a rule that accepts them all before hand

iptables

I'm just reading up on iptables, finally. I'm a little confused because the input chain from the filter table (as installed, fedora 17), looks like this:

target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          state NEW udp dpt:mdns
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

From what I've been reading, the third rule should just accept anything, but this is not the case (I have to disable iptables to allow access to sshd or an https server). All other chains for all other tables are policy ACCEPT, with no rules, except filter FORWARD which REJECTs everything.

So what does ACCEPT really do?

iptables -v -L

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
36625   38M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    1    60 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          state NEW udp dpt:mdns
  534 73926 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 31484 packets, 3973K bytes)
 pkts bytes target     prot opt in     out     source               destination

So this implies to me that third rule actually only applies to the loopback interface? [yep]

Best Answer

The ACCEPT target is a terminating target that allows packet to get through NetFilter. The REJECT is a terminating targetd that effectively disallows packet to get through and causes the ICMP response to be sent to the packet originator. The third rule in your sample most likely looks like this if you list the tables with 'iptables -v -L' command:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  639  304K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
  101  7798 ACCEPT     all  --  lo     any     anywhere             anywhere

In the column in there is an interface the rule is matching on. For the third rule it is the lo interface, so this rule allows any traffic on loopback interface and this is correct, as otherwise you will not be able to access any local to the host services over TCP or UDP at localhost address.

Related Solutions

Linux – iptables will match the following ICMP request packet as ESTABLISHED state after the first reply packet is sent

As you suggest, connection tracking obviously records your ICMP "session" and thus it considers the packets to be in ESTABLISHED state once a ping-pong roundtrip has been executed.

To achieve your goal of throttling ICMP requests you move the "drop all other ICMP" rule (third rule in your screenshot) just below the rule that accepts echo requests with rate limiting. This way the ESTABLISHED rule will not get considered for ICMP packets.

However since ICMP packets are also used to communicate various problems, I strongly recommend you add a rule accepting all icmp packets with a type other than "echo-request" to make sure you don't get problems with for example TCP connections (as an example, "Connection refused" is communicated using ICMP). The rule I suggest is:

iptables -A INPUT -p icmp ! --icmp-type echo-request -j ACCEPT

and put it right below your rate limiting rule accepting ECHO requests and just above the "drop all other ICMP" rule.

Why do some TCP reset packets show up in the iptables log

The creation of the TCP RST packet is from your rule

-A INPUT -p tcp -j REJECT --reject-with tcp-reset

The default policy (ACCEPT in your case) only applies to packets that do not match any of the rules in your chain. If a packet matches the rule above with the REJECT target, it will not be subject to the default policy and will be REJECTed (and generate a TCP RST) rather than ACCEPTed.

This TCP RST will not match your rule:

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

because it is not RELATED to another established connection and it is not part of an ESTABLISHED connection. It will continue through your rules and match

-A OUTPUT -m limit -j LOG --log-prefix "UNKNOWN_OUTGOING: " --log-level 5

and end up in your log. If you do not want to log these RST packets, either adjust this rule to not match them or insert an earlier rule to match the RST packets and so something with them before they get here.

Something else I'm noticing is that the first packet you are logging is a SYN/ACK packet from a remote webserver, which looks like a response packet from the remote webserver to a SYN packet you would have earlier sent to begin the connection to the remote host on port 80. If you didn't send an initial SYN, I don't think the connection would match 'ESTABLISHED', but if you did send a SYN then I think the connection should mach 'ESTABLISHED'. This could be messing with which rule your RST ends up matching.

Best Answer

Related Solutions

Linux – iptables will match the following ICMP request packet as ESTABLISHED state after the first reply packet is sent

Why do some TCP reset packets show up in the iptables log

Related Question