Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.firewall > #127

Re: Is this even POSSIBLE?

Path csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!bofh.it!news.nic.it!robomod
From Dan Ritter <dsr@randomstring.org>
Newsgroups linux.debian.maint.firewall
Subject Re: Is this even POSSIBLE?
Date Thu, 06 Jan 2022 20:00:01 +0100
Message-ID <DCG9r-3qW-1@gated-at.bofh.it> (permalink)
References <DCFdn-2RA-1@gated-at.bofh.it>
X-Original-To linux_forum1 <linux_forum1@protonmail.com>
X-Mailbox-Line From debian-firewall-request@lists.debian.org Thu Jan 6 18:51:09 2022
Old-Return-Path <dsr@randomstring.org>
X-Amavis-Spam-Status No, score=-6.9 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, LDO_WHITELIST=-5] autolearn=ham autolearn_force=no
X-Policyd-Weight using cached result; rate:hard: -4.6
X-Greylist delayed 390 seconds by postgrey-1.36 at bendel; Thu, 06 Jan 2022 18:33:17 UTC
Mail-Followup-To linux_forum1 <linux_forum1@protonmail.com>, "debian-firewall@lists.debian.org" <debian-firewall@lists.debian.org>
X-Message-Flag Cannot contact reaper.nsa.gov. Trying bucket.cia.gov..
X-Clacks-Overhead GNU Terry Pratchett
MIME-Version 1.0
Content-Type text/plain; charset=us-ascii
Content-Disposition inline
X-Mailing-List <debian-firewall@lists.debian.org> archive/latest/9566
List-ID <debian-firewall.lists.debian.org>
List-URL <https://lists.debian.org/debian-firewall/>
List-Archive https://lists.debian.org/msgid-search/20220106182615.u7jhfo2fogoyej7y@randomstring.org
Approved robomod@news.nic.it
Lines 46
Organization linux.* mail to news gateway
Sender robomod@news.nic.it
X-Original-Cc "debian-firewall@lists.debian.org" <debian-firewall@lists.debian.org>
X-Original-Date Thu, 6 Jan 2022 13:26:15 -0500
X-Original-Message-ID <20220106182615.u7jhfo2fogoyej7y@randomstring.org>
X-Original-References <wgAYq2vt8xEqrlYpzcMHUMcRUhgZlJc3EGDeIp5jw1-DHIDsH_O0WDNW2swc6fFIur5kgan9wiomEx63XJJCwl76DEd7O0fIALgGic9miAA=@protonmail.com>
Xref csiph.com linux.debian.maint.firewall:127

Show key headers only | View raw

linux_forum1 wrote: 
> Hello, I have 2 questions if that's OK.
> 
> INPUT DROP
> FORWARD DROP
> OUTPUT DROP
> 
> -N Block
> -N Logger
> -A INPUT -j Block
> -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger
> -A Logger -j LOG --log-level 4
> -A Logger -j DROP
> 
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> 
> There will be more rules in Block, but I just want to understand the logic.
> 
> 1.) How is -A INPUT -j Block possible before there are any rules appended to Block, does that mean iptables first searches and assembles all rules that belong to custom chains regardless of order? Same for Logger.

Everything has an order. You can turn on line numbers and see
the order.

Creating a chain (Block, Logger) does not put it into order.

The jump (-j) to Block, from INPUT, places the chain in order.

I note that you don't have a rule in Block to actually drop
packets, and you do have a rule in Logger that drops packets.
That seems... problematic to me.

> 2.)
> Would this be OK to log and drop all rules in in Block?
> I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG -> Logger -> DROP

In general, you can jump as many times as you like as long as
you don't go in a circle. Note that -j LOG continues processing
on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain
ends without ACCEPT, DROP or REJECT happening, then when it ends
execution picks up at the next statement in order following the
jump to that chain.

Does that help?

-dsr-

Back to linux.debian.maint.firewall | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Is this even POSSIBLE? linux_forum1 <linux_forum1@protonmail.com> - 2022-01-06 19:00 +0100
  Re: Is this even POSSIBLE? Dan Ritter <dsr@randomstring.org> - 2022-01-06 20:00 +0100
    Re: Is this even POSSIBLE? linux_forum1 <linux_forum1@protonmail.com> - 2022-01-06 21:20 +0100
      RE: Is this even POSSIBLE? linux_forum1 <linux_forum1@protonmail.com> - 2022-01-07 10:30 +0100

csiph-web