My iptable configuration is secured?

bux asked:

I’m securing my debian with iptables. I done that for allow ssh, http and https:

# history | grep iptable
18  /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
22  /sbin/iptables -I INPUT 2 -i lo -j ACCEPT
23  /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
24  /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
25  /sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
26  /sbin/iptables -P INPUT DROP

18: connextions already etablshed
22: localhost
23, 24, 25: ssh, http, https
26: block other

My rules:

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

The line:

ACCEPT     all  --  anywhere             anywhere

is scaring me: this rule allow all traffic ?

Edit:

# iptables -L -v -n
Chain INPUT (policy DROP 1352 packets, 99220 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  275 21348 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 67 packets, 9852 bytes)
 pkts bytes target     prot opt in     out     source               destination

My answer:


The line you are referring to allows all traffic on the lo interface (localhost). It is generally harmless, and removing it can cause problems.

The interface columns are only visible after you add -v to your iptables command.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.