Re: Setting a default policy does not work :(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2003-12-02 at 17:33, Michael Gale wrote:
> Hello,
> 
> 	I have a firewall with multiple interfaces. When I try to set a default policy it does not work. I believe this is a problem with netfilter and multiple interfaces.
> 
> Example:
> 
> Inserting the following to the bottom of my firewall script:
> 
> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables --policy INPUT DROP
> iptables --policy OUTPUT DROP
> iptables --policy FORWARD DROP
> 
I use
iptables -P INPUT DROP
instead and it works fine for me.
iptables 1.2.7a, kernel 2.4.20, SuSE 8.2

> ### Causes all traffic to or from the box on either interface to be dropped regardless of all other rules.
> 
> iptables -A INPUT -j DROP
> iptables -A OUTPUT -j DROP
> itpables -A FORWARD -j DROP
> 
> ### But when adding:
> 
> iptables -A INPUT -i $EXT_FACE -j DROP
> iptables -A INPUT -i $INT_FACE -j DROP
> iptables -A OUTPUT -o $EXT_FACE -j DROP
> iptables -A OUTPUT -o $INT_FACE -j DROP
> iptables -A FORWARD -i $EXT_FACE -j DROP
> iptables -A FORWARD -i $INT_FACE -j DROP
> 
> The firewall rules behave as they should only allow traffic that matches the rules and the default policy now is DROP based on the rules.
> 
> I believe the problem is caused by having multiple interfaces -- if you only have 1 interface then the default policy is applied to this interface. But if you have multiple networks cards any rule or policy that does not specify a network interface becomes a global rule .. as in (iptables -A INPUT -j DROP) and takes affect before any other rules that are based upon network interface.
> 
> 
> So if you have these two rules in your firewall script:
> iptables -A INPUT -i $EXT_FACE -j ACCEPT
> iptables -A INPUT -j DROP
> 
> Even though the first rule is to accept all traffic everything would be denied because the second rule becomes like a global policy since no interface is associated with it and it actually gets checked before the packet can make it to the second rule.
-- 
--
Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux