# "iptables -L" lists wrong policies

## tommy_fila

I have the following iptables rules.

```
#!/bin/sh

# Set location of iptables

IPTABLES=/sbin/iptables

# Define interfaces

PUBLIC_IF="eth0"

# Flush current rules

$IPTABLES -t nat -F

$IPTABLES -t filter -F

$IPTABLES -t mangle -F

# Delete custom chains

$IPTABLES -t nat -X

$IPTABLES -t filter -X

$IPTABLES -t mangle -X

# Set default policies

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P INPUT ACCEPT

$IPTABLES -t mangle -P FORWARD ACCEPT

$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow typical ICMP responses

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# PDA Connection

$IPTABLES -A INPUT -i ppp0 -j ACCEPT
```

When I use "iptables -L" to list my current set of rules, I get the following output.

```
Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 4

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 12

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

Why are the first and last rules of the INPUT chain set to accept all packets. In reality, the first rule should only allow packets from trusted interfaces, and the last rule should allow connections from and to my PDA.

What is going on here? Does iptables -L just list the wrong rules?

----------

## jamapii

iptables -L doesn't list the interface (-i and -o arguments)

----------

## Jeremy_Z

Yes you need to use -L -v and i recommand -n too.

----------

## eagle_cz

did you try 

iptables -t mangle -L -nv

iptables -t nat -L -nv

?

just guess from littla komie  :Very Happy: 

----------

## tommy_fila

That did the trick! Thank you!  :Very Happy: 

----------

## eagle_cz

just to be perfect here is last one 

iptables -t filter -L -nv 

whitch is the same like

iptables  -L -nv 

because it list just filter by default

----------

## tommy_fila

I realize this is somewhat unrelated, but I don't want to start up a new topic.

How can I log all dropped packets? Do I need to create a rule that identifies all dropped packets and log that?

Thanks for the help.

----------

## eagle_cz

if you drop packets at several places you can make redirect to your custom chain

Then you will put 2 rules into your custom chain.

rule 1. log

rule 2. drop

----------

## tommy_fila

Could you elaborate on that. I don't really see what you mean.

Take my rules for example:

```

# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow typical ICMP responses

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
```

If the packet doesn't fit any of these desriptions, it should get logged.

Any ideas on how I can accomplish this?

----------

## tommy_fila

I was thinking about doing the following, but I don't think it would work very well.

Right in front of every INPUT chain, I'd append a log chain that logs packets which don't match the following INPUT chain. So, for example.

```
# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT
```

Would become:

```
# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i !lo -j LOG

$IPTABLES -A INPUT -i lo -j ACCEPT
```

Would this work properly? I have a feeling that it would log all packets not coming from "lo". I don't really want that either. I only want to log packets which don't match any of my input chains.

Any ideas?

----------

## DaveArb

 *tommy_fila wrote:*   

> Could you elaborate on that. I don't really see what you mean.
> 
> Take my rules for example:
> 
> ```
> ...

 

Place an unqualified LOG line after all your accepts, this will log everything "falling out the bottom". Expect to watch carefully for a very large log file.

Dave

----------

## tommy_fila

Ah! DaveArb, the master is back at it.

Let me see if I have this straight. Basically, the packet goes through the different chains. If it matches a chain, it gets accepted or dropped, and that's it. If it doesn't match any of the chains, it just keeps on going through until the end. So if I add a log chain to the end, then all packets that don't get accepted, will get logged.

Next question:

You said the log files might get very large? Where are the log files? I thought the messages get logged with your system-logger?

----------

## DaveArb

 *tommy_fila wrote:*   

> So if I add a log chain to the end, then all packets that don't get accepted, will get logged.

 

Exactly correct. Iptables run from top to bottom. Having a policy of DROP is effectively the same as having a last rule of DROP, so placing a LOG at the end will write everything that's going to be dropped to the log.

 *Quote:*   

> I thought the messages get logged with your system-logger?

 

That's correct too. Where the logs get written no doubt varies by what logger you use, on the sysklog install I just checked they are in messages. About 250 byte long message for each log line.

Dave

----------

## tommy_fila

Perfect. I'm going to try adding the log line to the end.

About the log files getting too large -- I thought the log files automatically stay a certain size by just erasing the old logs.

----------

## DaveArb

 *tommy_fila wrote:*   

> I thought the log files automatically stay a certain size by just erasing the old logs.

 

sysklog doesn't do this automatically, I use logrotate to perform this task. Perhaps other system loggers do autotrim their files?

Dave

----------

