[Bug 1122] New: --list command can be deceptive in some cases.

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Feb 14 15:44:45 CET 2017 

https://bugzilla.netfilter.org/show_bug.cgi?id=1122

            Bug ID: 1122
           Summary: --list command can be deceptive in some cases.
           Product: iptables
           Version: 1.4.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: p at trickslav.in

Hello,

It was a bit tricky to see that the port was actually closed in IPTables, as at
first glance it appears to be open:

[root at Ping init.d]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
(*) ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

Export with iptables-save

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1341:2337120]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
(*)-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

At (*) it states that the firewall is accepting from everywhere when you run
iptables –list, but you can see that this is not the case when you run
iptables-save! It shows that it is accepting all for the LOOPBACK interface,
practically the opposite of “all”.

Regards,
Patrick Slavin

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170214/677a1ec1/attachment.html>

More information about the netfilter-buglog mailing list