Mageia forum

Hello, Any...

I posted this in "Advanced Support" because I believe it needs an answer in a realm beyond Basic. [Not whether the question or answer is "basic", but that Expert advice is better (ie better than "not expert") on this one.]


If I setup a simple iptables firewall from common advice off the Internet (copied in various websites too) it uses a rule...

Code: Select all

iptables -I INPUT 1 -i lo -j ACCEPT

(Alternatively, it could be -A appended.)

That rule is in the INPUT CHAIN (under a DROP Policy).

(That rule is common to many setups that I've seen.)


So, under the 3 rules setup...

A.
(List all rules iptables man page S = Print the rules in a chain or all chains)

Code: Select all

# iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP

Then if I...

B.
(List all rules (also) iptables man page L = List the rules in a chain or all chains)

Code: Select all

# iptables -L

Chain INPUT (policy DROP)
target........ prot . opt .. source ...... destination         
ACCEPT .. all .... -- .... anywhere .. anywhere ..........ctstate RELATED,ESTABLISHED
ACCEPT .. all .... -- .... anywhere .. anywhere           
DROP ...... all ... -- ..... anywhere .. anywhere .......... ctstate INVALID

Chain FORWARD (policy DROP)
target........ prot . opt .. source ...... destination   

Chain OUTPUT (policy ACCEPT)
target........ prot . opt .. source ...... destination



Notice:

1.
Why does the man page (essentially) indicate it will show the same thing but then produces different outputs? That is puzzling to a Viewer (me).
(That is a bugbear for man to deal with, and not really requiring an answer I suppose.)


2.
The "L" listing shows the rule: ACCEPT...all...anywhere...anywhere. Woops! Not good!

That's the result of the Loopback rule that I gave at the top of the post. It appears to be "accepting" EVERYTHING!

Now, if I remove the rule from the tables/firewall there is no APPARENT break in web use; I continue with my access. (That is, I am not blocked/hindered from doing anything - at least up till now.) [Yes; I restarted the iptables service.]

So the subsequent OBVIOUS question is, "What is the loopback rule for, exactly?".


Rather than a plain or standard response from COMMON knowledge here I would rather you test that for yourself first.

>> If the rule IS creating a "hole" then I want to know about it properly.

>> If the rule is NOT doing ANYTHING of value then it is unnecessary, is it not?

>> It may be something else. [In other words, the iptables DO work properly somehow, and - despite the above description of an anomaly - working knowledge is understood properly by advanced Users. However, it does present confusion (as described).]


(Note, if you respond you are speaking to a virtual Novice.)

Regards,

Hi,

The loopback interface is used for the process communication on your local system. If you change that, the break-down of your system will be quite terrific! I have done that a long time ago

Greetings,
Bequimão

Hello, Bequimao...

Note that I have not altered the loopback device in any way. I have dropped an iptables rule (which refers to the lo device).

Whether that leaves lo extremely unprotected I can't say but, according to the resultant "L" output (as described in post), leaving it "as is" seemed to open up the whole damn firewall. Taking it out seems to show better protection...

Code: Select all

# iptables -L

Chain INPUT (policy DROP)
target ...... prot .. opt ... source ......... destination         
ACCEPT .. all .... --  .... anywhere ...... anywhere ..... ctstate RELATED,ESTABLISHED
DROP ...... all .... -- ..... anywhere ..... anywhere ..... ctstate INVALID
DROP ...... all .... -- ..... anywhere ..... anywhere           

Chain FORWARD (policy DROP)
target ...... prot .. opt ... source ......... destination         

Chain OUTPUT (policy ACCEPT)
target ...... prot .. opt ... source ......... destination         

Anyone?

Please next time use code tags as explained in ftp://ftp5.gwdg.de/pub/linux/mandriva/m ... e_tags.ogv

boombaby wrote:Hello, Bequimao...

Note that I have not altered the loopback device in any way. I have dropped an iptables rule (which refers to the lo device).

...
Anyone?

Then I suggest that you save the modified rules permanently and reboot your machine. Hopefully the admins won't ban me for lifetime!
lo (abbreviation) = loopback interface, see https://en.wikipedia.org/wiki/Loopback#Virtual_loopback_interface

I have written about my little adventure, albeit in Portuguese
Experimentando o iptables

Kind regards,
Bequimão

You couldnt think of more stupid title of your post, could ya?

Bequimao wrote:Hopefully the admins won't ban me for lifetime!

Why should they do so?

AstorBG wrote:You couldnt think of more stupid title of your post, could ya?

Yes. How about "Lessons for dumbasses"? Perhaps, "Here come the clowns"? Maybe, "No matter what I say idiots abound"?

Of course, that would have been stupid - and probably would have drawn out even more (idiots).

However, if you mean could I have said, "Is this a hole in iptables?", or "It seems a loopback rule compromises the firewall?", or even "Does removing the loopback rule help secure the firewall?" - then NO, I couldn't.

To me, "There's a hole in the bucket..." - a song regularly sung by the Youth of my youth, which had endless choruses of "fixes", each fix leading to another problem, then to another fix and another problem (so creating an endless sequence of droll discussion about the problem) - seemed not only VERY DESCRIPTIVE, but also APPROPRIATE.

Still no clarity though!

Regards,

Okay guys, discussing topic-titles is not what our forum is about.
Just to remember, it's the Mageia-forum right here, thank you.

Hello, Any...

To clear up my enquiry about a "problem" with iptables.

In another forum someone showed me the command:-

iptables -L -v

which showed an expanded, "more complete" output of the iptables firewall I had used as an example.

[Someone else also gave a pretty good explanation of whether the loopback security is actually needed (or perhaps might be refined).]

I still believe that (as mentioned in my first post) the > man < page ought be modified to express things better - especially for an occasional encounter by a Newbie (ie "EVERY" Newbie).

Nevertheless, I am satisfied enough to call this matter closed.

Regards,
aka boombaby

boombaby wrote:I still believe that (as mentioned in my first post) the > man < page ought be modified to express things better - especially for an occasional encounter by a Newbie (ie "EVERY" Newbie).

Feel free to ask that upstream, as we don't create that manpage, we only ship it in our packages.