Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: User

REJECT target not as policy

 

 

iptables user RSS feed   Index | Next | Previous | View Threaded


lists at bertram-scharpf

Aug 20, 2007, 6:52 AM

Post #1 of 8 (1985 views)
Permalink
REJECT target not as policy

Hi,


on one of my machines the REJECT target doesn't behave as I
expect. It is inserted into a chain but it is not accepted
as a policy.

myhost ~ # iptables -L
Chain INPUT (policy DROP 2 packets, 116 bytes)
pkts bytes target prot opt in out source destination
...
0 0 REJECT tcp -- any any anywhere anywhere ...
...

But:

myhost ~ # iptables -v -t filter -P INPUT REJECT
iptables: Bad policy name


How comes this? I guess it is a kernel option I have to
change. But which?

Thanks in advance,

Bertram


--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de


r.laban at ism

Aug 20, 2007, 7:08 AM

Post #2 of 8 (1896 views)
Permalink
Re: REJECT target not as policy [In reply to]

On Monday 20 August 2007, Bertram Scharpf wrote:
> on one of my machines the REJECT target doesn't behave as I
> expect. It is inserted into a chain but it is not accepted
> as a policy.
>
> myhost ~ # iptables -L
> Chain INPUT (policy DROP 2 packets, 116 bytes)
> pkts bytes target prot opt in out source
> destination ...
> 0 0 REJECT tcp -- any any anywhere
> anywhere ... ...
>
> But:
>
> myhost ~ # iptables -v -t filter -P INPUT REJECT
> iptables: Bad policy name
>
>
> How comes this? I guess it is a kernel option I have to
> change. But which?

The REJECT target is only valid when either the tcp or udp module is loaded.
Hence it cannot be used as a policy.

HTH
--
Ruben


pascal.mail at plouf

Aug 20, 2007, 8:52 AM

Post #3 of 8 (1906 views)
Permalink
Re: REJECT target not as policy [In reply to]

Hello,

Ruben Laban a écrit :
> On Monday 20 August 2007, Bertram Scharpf wrote:
>
>>on one of my machines the REJECT target doesn't behave as I
>>expect. It is inserted into a chain but it is not accepted
>>as a policy.

It behaves as expected. REJECT is an extension, not a built-in target,
and cannot be used as a policy. Check man iptables.

> The REJECT target is only valid when either the tcp or udp module is loaded.

AFAIK, REJECT is not dependant on tcp or udp and can be used with any
protocol. Only the "--reject-with tcp-reset" option can be used only
with tcp.


lists at bertram-scharpf

Aug 20, 2007, 10:46 AM

Post #4 of 8 (1889 views)
Permalink
Re: REJECT target not as policy [In reply to]

Hi,

Am Montag, 20. Aug 2007, 17:52:02 +0200 schrieb Pascal Hambourg:
> Ruben Laban a écrit :
>> On Monday 20 August 2007, Bertram Scharpf wrote:
>>> on one of my machines the REJECT target doesn't behave as I
>>> expect. It is inserted into a chain but it is not accepted
>>> as a policy.
>
> It behaves as expected. REJECT is an extension, not a built-in target, and
> cannot be used as a policy. Check man iptables.

I wrote "as _I_ expect". Obviously I expected wrong. Now, I
found it in the manpage.

On an other list I was told it were a good idea to set
REJECT as policy. I'm so glad that I asked here. Thank you.

Bertram


--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de


pascal.mail at plouf

Aug 20, 2007, 11:43 AM

Post #5 of 8 (1897 views)
Permalink
Re: REJECT target not as policy [In reply to]

Bertram Scharpf a écrit :
>
> On an other list I was told it were a good idea to set
> REJECT as policy.

I could be a good idea if it was possible. Maybe the person who told you
mixed up iptables and ipchains, its "predecessor" for 2.2 kernels. IIRC
ipchains allowed REJECT as a policy.


rob at sterenborg

Aug 20, 2007, 12:11 PM

Post #6 of 8 (1891 views)
Permalink
RE: REJECT target not as policy [In reply to]

>> On an other list I was told it were a good idea to set
>> REJECT as policy.
>
> I could be a good idea if it was possible. Maybe the person who told
> you mixed up iptables and ipchains, its "predecessor" for 2.2
> kernels. IIRC ipchains allowed REJECT as a policy.

You could emulate a REJECT policy by having this as the very last rules:

$ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$ipt -A INPUT -j REJECT

(I thought it was like this..)
But, if you dynamically add rules then you have to take care of at/from
which position you insert/delete them.


pascal.mail at plouf

Aug 20, 2007, 1:27 PM

Post #7 of 8 (1894 views)
Permalink
Re: REJECT target not as policy [In reply to]

Rob Sterenborg a écrit :
>
> You could emulate a REJECT policy by having this as the very last rules:
>
> $ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> $ipt -A INPUT -j REJECT
>
> (I thought it was like this..)

What was like what ?

> But, if you dynamically add rules then you have to take care of at/from
> which position you insert/delete them.

A user-defined chain comes in handy. Jump into it before the REJECT
rules and add the dynamic rules in it.

iptables -N input
iptables -A INPUT -j input
iptables -A INPUT -j REJECT

iptables -A input blah...


rob at sterenborg

Aug 20, 2007, 10:26 PM

Post #8 of 8 (1885 views)
Permalink
RE: REJECT target not as policy [In reply to]

>> You could emulate a REJECT policy by having this as the very last
>> rules:
>>
>> $ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
>> $ipt -A INPUT -j REJECT
>>
>> (I thought it was like this..)
>
> What was like what ?

Emulating a REJECT policy. If I'm not mistaken a closed tcp port
responds with tcp-reset and others with icmp-port-unreachable (REJECT's
default).
If the OP was told to set a REJECT policy, I think it would have been
with this in mind.

>> But, if you dynamically add rules then you have to take care of
>> at/from which position you insert/delete them.
>
> A user-defined chain comes in handy. Jump into it before the REJECT
> rules and add the dynamic rules in it.
>
> iptables -N input
> iptables -A INPUT -j input
> iptables -A INPUT -j REJECT
>
> iptables -A input blah...

Yes, I that's how I would do it.

iptables user RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.