I'm just reading up on iptables, finally. I'm a little confused because the input chain from the filter table (as installed, fedora 17), looks like this:
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 state NEW udp dpt:mdns
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
From what I've been reading, the third rule should just accept anything, but this is not the case (I have to disable iptables to allow access to sshd or an https server). All other chains for all other tables are policy ACCEPT, with no rules, except filter FORWARD which REJECTs everything.
So what does ACCEPT really do?
iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36625 38M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
1 60 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns
534 73926 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 31484 packets, 3973K bytes)
pkts bytes target prot opt in out source destination
So this implies to me that third rule actually only applies to the loopback interface? [yep]
Best Answer
The
ACCEPT
target is a terminating target that allows packet to get through NetFilter. TheREJECT
is a terminating targetd that effectively disallows packet to get through and causes the ICMP response to be sent to the packet originator. The third rule in your sample most likely looks like this if you list the tables with 'iptables -v -L' command:In the column
in
there is an interface the rule is matching on. For the third rule it is thelo
interface, so this rule allows any traffic onloopback
interface and this is correct, as otherwise you will not be able to access any local to the host services overTCP
orUDP
atlocalhost
address.