netfilter buglog - Feb 2017 - [Bug 1122] New: --list command can be deceptive in some cases.

https://bugzilla.netfilter.org/show_bug.cgi?id=1122

            Bug ID: 1122
           Summary: --list command can be deceptive in some cases.
           Product: iptables
           Version: 1.4.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: p at trickslav.in

Hello,

It was a bit tricky to see that the port was actually closed in IPTables, as at
first glance it appears to be open:

[root at Ping init.d]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
(*) ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

Export with iptables-save

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1341:2337120]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
(*)-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

At (*) it states that the firewall is accepting from everywhere when you run
iptables –list, but you can see that this is not the case when you run
iptables-save! It shows that it is accepting all for the LOOPBACK interface,
practically the opposite of “all”.

Regards,
Patrick Slavin

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170214/677a1ec1/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1122

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter at linuxace.com
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Phil Oester <netfilter at linuxace.com> ---
You need to use the "verbose" option to see the interfaces.  Try
"iptables
-nvL" for instance.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170214/93ec37ef/attachment.html>