questions about iptables rules for loopback interface

Discussion in 'other firewalls' started by boombaby, Apr 20, 2016.

  1. boombaby

    boombaby Registered Member

    Joined:
    Apr 16, 2016
    Posts:
    11
    Hello, Any...

    Recently I asked a "security" question in the "advanced" section of a Linux forum. For all intents and purposes, I am a linux Newbie. (I have used Linux on-and-off for a long while but only at the GUI level, not in Command Line Interface CLI.)

    As you will see I thought that...
    (a.) the (question) detail was pretty important, perhaps profoundly so (ie not me, the detail), and
    (b.) needed a response, and
    (c.) might therein elicit discussion.

    Apparently, I was wrong on at least two of those - (b.) and (c.)

    However, if I am completely wrong about the detail then I guess I would be wrong on ALL THREE of those assumptions, and that might explain things.

    So, in a larger "place" (ie wilderssecurity.com) let's see if the stuff is as important as I think it is. Here we go...


    ***** EXTRACT

    If I setup a simple iptables firewall from common advice off the Internet (copied in various websites too) it uses a rule...

    iptables -I INPUT 1 -i lo -j ACCEPT

    (Alternatively, it could be -A appended.)

    That rule is in the INPUT CHAIN (under a DROP Policy).

    [That rule is common to many setups that I've seen.]


    So, under the 3-rules setup...

    A.
    (List all rules - iptables man page:- S = Print the rules in a chain or all chains)

    # iptables -S

    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate INVALID -j DROP




    Then if I...

    B.
    (List all rules - (also) iptables man page:- L = List the rules in a chain or all chains)

    # iptables -L

    Chain INPUT (policy DROP)
    target........ prot . opt .. source ...... destination
    ACCEPT .. all .... -- .... anywhere .. anywhere ..........ctstate RELATED,ESTABLISHED
    ACCEPT .. all .... -- .... anywhere .. anywhere
    DROP ...... all ... -- ..... anywhere .. anywhere .......... ctstate INVALID

    Chain FORWARD (policy DROP)
    target........ prot . opt .. source ...... destination

    Chain OUTPUT (policy ACCEPT)
    target........ prot . opt .. source ...... destination



    Notice:

    1.
    Why does the man page (essentially) indicate it will show the same thing but then produces different outputs? That is puzzling to a Viewer (me).
    (That is a bugbear for man to deal with, and not really requiring an answer I suppose.)


    2.
    The "L" listing shows the rule: "ACCEPT...all...anywhere...anywhere". Woops! Not good!
    That's the result of the Loopback rule that I gave at the top of the post. It appears to be "accepting" EVERYTHING!


    Now, if I remove the rule from the tables/firewall there is no APPARENT break in web use; I continue with my access. (That is, I am not blocked/hindered from doing anything - at least up till now.) [Yes; I restarted the iptables service.]

    So the subsequent OBVIOUS question is, "What is the loopback rule for, exactly?".


    Rather than a plain or standard response from COMMON knowledge here I would rather you test that for yourself first.

    >> If the rule IS creating a "hole" then I want to know about it properly.

    >> If the rule is NOT doing ANYTHING of value then it is unnecessary, is it not?

    >> It may be something else. [In other words, the iptables DO work properly somehow, and - despite the above description of an anomaly - working knowledge is understood properly by advanced Users. However, it does present confusion (as described).]


    (Note, if you respond you are speaking to a virtual Novice.)

    .
    ************** ENDS


    Well, that's it. Anyone?

    Regards,
    aka, boombaby
     
  2. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141
    If you dont know what is the loopback, iptables is not for you, stop the game !... uses Gufw.

    A computer needs to connect to him, to run applications, the loopback is allways in the LAN, you must accept 127.0.01 to 127.0.0.1
     
  3. boombaby

    boombaby Registered Member

    Joined:
    Apr 16, 2016
    Posts:
    11
    Thanks, Boblvf.

    What you've done is exactly what happened in that other place (that I told you about) which had one and only response.

    Read the post again. I am NOT altering the "loopback device". (Unless of course you want it routed directly your way.) What I said was, the RULE regarding the loopback device seemed to open the firewall (as explained). I simply dropped THE RULE (repeat THE RULE) which seemed to give the (better) result on inspection of cmd output. Got that?

    I have asked for someone to explain why the output generated implies the firewall is "open". (If you don't understand that then leave it for someone else.)

    (P.S. If you think this is a game then you probably should be interacting in a "gaming" forum.)


    Anyone (else)?
     
  4. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141
    " the RULE regarding the loopback device seemed to open the firewall (as explained). "

    Open...in the LAN, ok ? play Tetris, it's better.
     
  5. boombaby

    boombaby Registered Member

    Joined:
    Apr 16, 2016
    Posts:
    11
    Sorry, Boblvf...

    Not something that I can understand.

    Anyone else?
     
  6. @boombaby

    Setting up IPtables as a Virtual Novice (as you qualify yourself) is like signing up for a K1 fight after your first Karate class. What is wrong with Gufw? It has a GUI and is intended for enthousiasts, starting with limited firewall knowledge. Start making your rules in simple mode. When you advance in knowledge refine them with the advanced mode. When you know the ins and outs of a firewall switch to iptables. It is hard to jump from the cellar (basement) to the ceiling (attic) as we say in Dutch.

    upload_2016-4-21_16-24-22.png
     
  7. boombaby

    boombaby Registered Member

    Joined:
    Apr 16, 2016
    Posts:
    11
    Hello, Windows_Security...

    Thanks, but... ...that is not an explanation.

    That does not explain the anomaly discussed (as output produced by CLI as instructed usage). It is just newbie bashing. **** There are plenty of Linophiles out there who say: "Don't do it by a GUI; do it by learning how to use "iptables" ".

    NEXT!
     
  8. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141


    No GUI...
     
    Last edited by a moderator: Apr 21, 2016
  9. boombaby

    boombaby Registered Member

    Joined:
    Apr 16, 2016
    Posts:
    11
    Boblvf,

    NOT an explanation.

    Here's an explanation: If I had a dollar for every smarty-pants I met I would be very rich.

    Keep your screens full of output (suffixed with 2 "S.P." words at the end) out of the way for now. It's meaningless. Got it?


    et al...

    AGAIN - FOR CLARITY...

    I gave 3 rules defining "a BASIC firewall" - as colloquially stated by quite a few Internet sites. The reporting about that firewall (ie the rules) - as per "the Manual" - is NOT what is expected (on the face of it). In fact, it is concerning (because it defines "hole"). In other words the actual report wording does NOT imply "firewall".

    I remove 1 rule. The report from that setup SEEMS better (because it shows "no holes", AND defines "a controlled wall") - ACCORDING TO THE RULE-BOOK (ie the Manual, and using std CLI).

    So the point in question (of course) is "THE LOOPBACK RULE" - purpose, definition, "fit", result, etc.

    Now - to me - THAT issue (and question, or questioning) seems clear enough. Anyone got an explanation about that? Something I can get a handle on, get my teeth into, and "SEE" evidence - one way or the other?

    P.S. Think "Newbie", and how you might offer:
    (a.) a clarifying explanation;
    (b.) an example (maybe another one too);
    (c.) a CLI command or two to clarify;
    (d.) evidence (aka "proof-of-concept") [that's what's lacking at the moment];
    (e.) things like that.


    Regards,
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    man iptables
    ACCEPT all -- lo any anywhere anywhere
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    That looks like a good start.

    The results are the same, but are presented in different forms.

    Why not? That is exactly what the rules say for INPUT:

    1. First, block everything. No connection is accepted.
    2. Then, allow everything that you started, which falls into the "ESTABLISHED,RELATED" part. If a connection wasn't started by you, it will automatically be blocked, so you have nothing to worry about. If a connection WAS started by you (like when you visit a website), it will be allowed (e.g. port 443 here on Wilders).
    3. Drop everything that is INVALID.

    Which is OK. You should allow everything on Loopback.

    You could block loopback traffic and still have a usable computer, but some programs (like Steam) need loopback traffic.

    Manually allowing loopback traffic is pointless because you only need to control traffic on the OUTPUT chain. That is waaay more important than loopback.

    So forget loopback and allow everything on it, both input and output.

    So that is the nature of your thread? You could've simply started with it :p

    https://en.wikipedia.org/wiki/Loopback

    http://askubuntu.com/questions/247625/what-is-the-loopback-device-and-how-do-i-use-it

    No, it does NOT create a hole in your Firewall. 99% of programs can work WITHOUT loopback traffic, but some don't.
     
  12. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141
    " NOT an explanation "

    First, learn the network rules, and learn iptables after ( why iptables ? suicidal ? )

    -A -l, see rules order.


    Let the loopback quiet.

    " You can now see a lot more information. This rule is actually very important, since many programs use the loopback interface to communicate with each other. If you don't allow them to talk, you could break those programs! "

    https://help.ubuntu.com/community/IptablesHowTo
     
    Last edited: Apr 22, 2016
  13. boombaby

    boombaby Registered Member

    Joined:
    Apr 16, 2016
    Posts:
    11
    Thanks, pedro and amarildojr...


    I think what you presented was excellent. I will put some points now but your explanations and offerings are still great, AND very much appreciated.

    Well the results are (in part) what is in question BECAUSE the presented display is actually different BUT the man reference states they would be the same

    I (nicely) tried to indicate that the two switches in the man page (ie -S and -L) say the output is identical. It isn't. You might not "see" that as confusing if you aren't using man (because you already have "understandings") but a Newbie will. [I think I indicated that in my first post, and then let it slide.]


    Amarildojr, I think you are "seeing" that in your mind's eye, but I am seeing the "display on screen" - and they are different. [THAT is NOT a criticism!]

    Pedro, the " iptables -L -v " cmd hit the spot. It shows me exactly what I needed to see. However, after using that info, it appears that I can leave out that Loopback (lo) rule (as amarildojr has said/implied elsewhere) BECAUSE it (the rule) is letting connections in that would OTHERWISE BE MANAGED by the "ESTABLISHED" rule. Is that now correct? [If so... then ...in fact, if I wanted to, I could setup an "OUTPUT Block-All" policy then setup the Loopback with "Block-In/Allow-Out" (ie reversed to the config being discussed) and it would still apply well. Correct? I know amarildojr has indicated (well) something a little different, for the reasons he stated. (This point doesn't need to be discussed in depth - to not confuse Newbies.)]


    Amarildojr, you quoted me from my very first post - so I must have stated it "at the start". :p To be fair to me, in my opening I introduced my post as being from another website forum (which was an attempt at some kind of courtesy). So I outlined the story then quoted the post (and problem). You might see in that original quoted-post that I immediately began with something similar to what you said (that I've just quoted). In this forum, I think what happened just after the "start" was that something went decidedly, immediately awry. Had I received YOUR post that would have been an excellent beginning, possibly and end. Right? Furthermore, the links you provided are great. Thanks.


    Before stating "fixed" I will mull over all that, and give others an opportunity to explain anything further. [Anyway, I am still seeking a couple of interesting clarifications from you (pedro, amarildojr, anyone).]


    Boblvf...

    Sorry; your last post came in as I was about to post. It looks interesting. I will check that out a little later. Thanks for responding.



    Kind Regards,
     
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    One example. CUPS admin interface runs as a server on localhost. It needs to accept new connections.

    Anything that fits that category would be "broken" I suppose.

    I must admit I always took that localhost rule at face value.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.