Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables Confusion
Special Forums IP Networking iptables Confusion Post 302911746 by knightfirefx on Saturday 2nd of August 2014 06:03:06 PM
Old 08-02-2014
iptables Confusion
Hi all,

I am looking to get a few questions answered but I am having trouble finding an answer to these specific questions online.

1. Order of operations: THere are plenty of fancy diagrams online that illustrate the order of operations for IPTables (Raw before Mangle for example) but what I cannot find an answer to is if for example, The MANGLE PREROUTING chain had a rule to ACCEPT packets destined to 4.2.2.2, would the packet still be subject to the remaining tables? IE, would that packet then be examined by the NAT table, then the filter table, and their set of chains and rules? Or once an accept/permit is determined, is the packet good to go and no longer subject to further processing?

2. I am used to Vendor-based Firewall solutions such as Cisco, FortiGate, Palo Alto and such. All of these Firewalls have an IMPLICIT deny, but as far as I can tell, IPTables does not - is this correct? It looks as though an Implicit ACCEPT is the norm.

Thank you for your time!

Kyle
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

ISO Confusion?

Hiya folks, Just a quick question. When I am ready to download Fedora core 4, do I need to download all 4 ISO files? Or just one, I think myself it would be all 4 but dont want to sit and wait around if I only need to download one. Also after downloading the Iso files, do I burn one file to one... (6 Replies)
Discussion started by: Mr_Pinky
6 Replies

2. Shell Programming and Scripting

confusion with export

Hi, I have written the following two scripts. a.ksh ---> FPATH=/users/kushard autoload b b echo "From a.ksh::" $aa b ---> function b { typeset aa aa="TRUE." echo "From b::" $aa export aa } (1 Reply)
Discussion started by: kdipankar
1 Replies

3. UNIX for Dummies Questions & Answers

unix confusion

:confused: some one please tell me where i can possibly find out what is unix 10.2 and the basic system functions of it is. I really need help! (1 Reply)
Discussion started by: tribb24
1 Replies

4. UNIX for Dummies Questions & Answers

ftp confusion

I'm an intern at a company that recently bought out another business. In doing so, they inherited a unix system that contains files which they need to retrieve. No one in the company, including myself, really understands or knows unix so please respond with the true assumption that I'm a unix... (1 Reply)
Discussion started by: intern
1 Replies

5. UNIX for Dummies Questions & Answers

wc command confusion

Can somebody explain it to me that why wc gives more chars suppose Ab.txt have two lines qwer qasd then wc -c ab.txt will give 10.why not 8.okay may be it is taking count one for each line just in case but why echo "qwer"|wc -C gives 5. Ok with \c it is returning 4. :) (6 Replies)
Discussion started by: Dhruva
6 Replies

6. Shell Programming and Scripting

Sed confusion

Hello all, I am trying to delete all the lines in a particular file having a pattern. The problem is that it has special characters and for some reason is not doing the job. For eg. src_file /home/test/filelist.txt :xxxx:ogog /home/test/RCH/ogogogg /home/test/RYHUJ/HHHH... (3 Replies)
Discussion started by: alfredo123
3 Replies

7. UNIX for Dummies Questions & Answers

'tr' confusion

Good day, everyone! Could anybody explain me the following situation. If I'm running similar script: Var="anna.kurnikova" Var2="Anna Kurn" echo $Var | tr -t "$Var" "$Var2" Why the output is : anna KurniKova instead of Anna Kurnikova? :confused: Thank you in advance for any... (2 Replies)
Discussion started by: Nafanja
2 Replies

8. UNIX for Dummies Questions & Answers

crontab confusion

I come across an entry in cron which is in such: 0 * * * * What is the first 0 indicating? 0 minute? meaning a script cron as such will run every minute? :confused: (2 Replies)
Discussion started by: user50210
2 Replies

9. Shell Programming and Scripting

Confusion with PS

Hello All, I have a problem in counting number of process getting run with my current script name.. Here it is ps -ef | grep $0 | grep -v grep This display just one line with the PID, PPID and other details when i print it in the script. But when I want to count the numbers in my... (11 Replies)
Discussion started by: sathyaonnuix
11 Replies

10. UNIX for Advanced & Expert Users

ACL confusion

All, I am trying to clear ACL's completely from all files and folders in a directory. I can get the directories as cleared as: # owner: root # group: root user::rwx group::r-x other::rwx default:user::rwx default:group::r-x default:other::r-x What ever I do I can't remove the... (4 Replies)
Discussion started by: hburnswell
4 Replies

LEARN ABOUT DEBIAN

iptables::parse

IPTables::Parse(3pm)					User Contributed Perl Documentation				      IPTables::Parse(3pm)

NAME

       IPTables::Parse - Perl extension for parsing iptables and ip6tables policies

SYNOPSIS

	 use IPTables::Parse;

	 my $ipt_bin = '/sbin/iptables'; # can set this to /sbin/ip6tables

	 my %opts = (
	     'iptables' => $ipt_bin,
	     'iptout'	=> '/tmp/iptables.out',
	     'ipterr'	=> '/tmp/iptables.err',
	     'debug'	=> 0,
	     'verbose'	=> 0
	 );

	 my $ipt_obj = new IPTables::Parse(%opts)
	     or die "[*] Could not acquire IPTables::Parse object";

	 my $rv = 0;

	 my $table = 'filter';
	 my $chain = 'INPUT';

	 my ($ipt_hr, $rv) = $ipt_obj->default_drop($table, $chain);
	 if ($rv) {
	     if (defined $ipt_hr->{'all'}) {
		 print "The INPUT chain has a default DROP rule for all protocols.
";
	     } else {
		 for my $proto (qw/tcp udp icmp/) {
		     if (defined $ipt_hr->{$proto}) {
			 print "The INPUT chain drops $proto by default.
";
		     }
		 }
	     }
	 } else {
	     print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy
";
	 }

	 ($ipt_hr, $rv) = $ipt_obj->default_log($table, $chain);
	 if ($rv) {
	     if (defined $ipt_hr->{'all'}) {
		 print "The INPUT chain has a default LOG rule for all protocols.
";
	     } else {
		 for my $proto (qw/tcp udp icmp/) {
		     if (defined $ipt_hr->{$proto}) {
			 print "The INPUT chain logs $proto by default.
";
		     }
		 }
	     }
	 } else {
	     print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy
";
	 }

DESCRIPTION

       The "IPTables::Parse" package provides an interface to parse iptables or ip6tables rules on Linux systems through the direct execution of
       iptables/ip6tables commands, or from parsing a file that contains an iptables/ip6tables policy listing.	You can get the current policy
       applied to a table/chain, look for a specific user-defined chain, check for a default DROP policy, or determing whether or not logging
       rules exist.

FUNCTIONS

       The IPTables::Parse extension provides an object interface to the following functions:

       chain_policy($table, $chain)
	   This function returns the policy (e.g. 'DROP', 'ACCEPT', etc.) for the specified table and chain:

	     print "INPUT policy: ", $ipt_obj->chain_policy('filter', 'INPUT'), "
";

       chain_rules($table, $chain)
	   This function parses the specified chain and table and returns an array reference for all rules in the chain.  Each element in the
	   array reference is a hash with the following keys (that contain values depending on the rule): "src", "dst", "protocol", "s_port",
	   "d_port", "target", "packets", "bytes", "intf_in", "intf_out", "to_ip", "to_port", "state", "raw", and "extended".  The "extended"
	   element contains the rule output past the protocol information, and the "raw" element contains the complete rule itself as reported by
	   iptables or ip6tables.

       default_drop($table, $chain)
	   This function parses the running iptables or ip6tables policy in order to determine if the specified chain contains a default DROP
	   rule.  Two values are returned, a hash reference whose keys are the protocols that are dropped by default if a global ACCEPT rule has
	   not accepted matching packets first, along with a return value that tells the caller if parsing the iptables or ip6tables policy was
	   successful.	Note that if all protocols are dropped by default, then the hash key 'all' will be defined.

	     ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT');

       default_log($table, $chain)
	   This function parses the running iptables or ip6tables policy in order to determine if the specified chain contains a default LOG rule.
	   Two values are returned, a hash reference whose keys are the protocols that are logged by default if a global ACCEPT rule has not
	   accepted matching packets first, along with a return value that tells the caller if parsing the iptables or ip6tables policy was
	   successful.	Note that if all protocols are logged by default, then the hash key 'all' will be defined.  An example invocation is:

	     ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT');

AUTHOR

       Michael Rash, <mbr@cipherdyne.org>

SEE ALSO

       The IPTables::Parse is used by the IPTables::ChainMgr extension in support of the psad and fwsnort projects to parse iptables or ip6tables
       policies (see the psad(8), and fwsnort(8) man pages).  As always, the iptables(8) and ip6tables(8) man pages provide the best information
       on command line execution and theory behind iptables and ip6tables.

       Although there is no mailing that is devoted specifically to the IPTables::Parse extension, questions about the extension will be answered
       on the following lists:

	 The psad mailing list: http://lists.sourceforge.net/lists/listinfo/psad-discuss
	 The fwsnort mailing list: http://lists.sourceforge.net/lists/listinfo/fwsnort-discuss

       The latest version of the IPTables::Parse extension can be found on CPAN and also here:

	 http://www.cipherdyne.org/modules/

       Source control is provided by git:

	 http://www.cipherdyne.org/git/IPTables-Parse.git
	 http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=IPTables-Parse.git;a=summary

CREDITS

       Thanks to the following people:

	 Franck Joncourt <franck.mail@dthconnex.com>
	 Grant Ferley

AUTHOR

       The IPTables::Parse extension was written by Michael Rash <mbr@cipherdyne.org> to support the psad and fwsnort projects.  Please send email
       to this address if there are any questions, comments, or bug reports.

COPYRIGHT AND LICENSE

       Copyright (C) 2005-2012 Michael Rash.  All rights reserved.

       This module is free software.  You can redistribute it and/or modify it under the terms of the Artistic License 2.0.  More information can
       be found here: http://www.perl.com/perl/misc/Artistic.html

       This program is distributed "as is" in the hope that it will be useful, but without any warranty; without even the implied warranty of
       merchantability or fitness for a particular purpose.

perl v5.14.2							    2012-03-05						      IPTables::Parse(3pm)
All times are GMT -4. The time now is 11:40 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy