By default the policy for INPUT/OUTPUT is set to drop connections, and
this works fine especially when performing MASQ operations.

However, any attempt to explicitly DROP based of transport protocol
results is the packet filtering becoming a solid brick wall, not letting
anything in including any packets in response to requests.

IIRC, the way to do this was to DROP the traffic, but then create rules
based on the source ports that allowed the traffic through such as:
ports 80, 25, 110 etc

I do not mind having the default policy set, but I was looking at
logging the traffic.

Has anyone got any advice?

Wayne wrote:

> By default the policy for INPUT/OUTPUT is set to drop connections, and
> this works fine especially when performing MASQ operations.
>
> However, any attempt to explicitly DROP based of transport protocol
> results is the packet filtering becoming a solid brick wall, not letting
> anything in including any packets in response to requests.

If you have your DROP rule before anything else it will drop the packet
before any other tests are made. My understanding is that iptables tests
the rules in the order you have them entered until it finds a match. If it
finds a match it will carry out the instructions for that match. If it
does not find a match it will use the default policy to decide what to do
with the packet.

> IIRC, the way to do this was to DROP the traffic, but then create rules
> based on the source ports that allowed the traffic through such as:
> ports 80, 25, 110 etc
>
> I do not mind having the default policy set, but I was looking at
> logging the traffic.
>
> Has anyone got any advice?

Put the established, related rule (and all other rules that allow traffic)
before the explicit drop-and-log rule.

(i.e. move the explicit drop rule to the end of the chain)

On Fri, 28 Oct 2005 22:32:03 GMT, Aussie Fred <fred012@hotmail.com> wrote:

>
>Put the established, related rule
first
> (and all other rules that allow traffic)
next
>before the explicit drop-and-log rule.

And you don't need explicit DROP, just accept what traffic you want
to handle :)

Another thing good idea to rate-limit logging, do you really want to
know _every_ dropped packet?

Example:
2755 688K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 \
limit: avg 12/min burst 6 LOG flags 0 level 6 prefix `InpDrop: '
2781 691K ireject all -- * * 0.0.0.0/0 0.0.0.0/0

I get most unwanted packets logged.

Grant.

Aussie Fred wrote:
> Wayne wrote:
>
>
>>By default the policy for INPUT/OUTPUT is set to drop connections, and
>>this works fine especially when performing MASQ operations.
>>
>>However, any attempt to explicitly DROP based of transport protocol
>>results is the packet filtering becoming a solid brick wall, not letting
>>anything in including any packets in response to requests.
>
>
> If you have your DROP rule before anything else it will drop the packet
> before any other tests are made. My understanding is that iptables tests
> the rules in the order you have them entered until it finds a match. If it
> finds a match it will carry out the instructions for that match. If it
> does not find a match it will use the default policy to decide what to do
> with the packet.

I got a little confused with ipfilters, not sure if it still does, but
it would process each rule regardless of match and execute them as it
goes through.

So if you were blocking all inbound TCP connections, but later opened up
a TCP port, it would execute each of those in order.

>
>>IIRC, the way to do this was to DROP the traffic, but then create rules
>>based on the source ports that allowed the traffic through such as:
>>ports 80, 25, 110 etc
>>
>>I do not mind having the default policy set, but I was looking at
>>logging the traffic.
>>
>>Has anyone got any advice?
>
>
> Put the established, related rule (and all other rules that allow traffic)
> before the explicit drop-and-log rule.
>
> (i.e. move the explicit drop rule to the end of the chain)
>


OK. I will do that.

Thanks

On Sat, 29 Oct 2005 11:07:16 +1000, Wayne <w4rpk3z@6m41l.c0m> wrote:

>I got a little confused with ipfilters, not sure if it still does, but
>it would process each rule regardless of match and execute them as it
>goes through.
>
>So if you were blocking all inbound TCP connections, but later opened up
>a TCP port, it would execute each of those in order.

Muddy thinking, once a packet hits a terminating condition (DROP or
ACCEPT) that's it for the particular packet, 'tis gone, dealt with,
finito, kaput! :o)

Why they call 'em chains, y'know.

man iptables
see also: ipfilter.org for many tutorials, not rocket science.

Grant.