How to explain these iptables INPUT chain rules?

Discussion in 'Tomato Firmware' started by dailyglen, Feb 22, 2012.

  1. dailyglen

    dailyglen Networkin' Nut Member


    I probably don't understand this but it looks like Tomato is configured to accept all incoming connections with rules 6 and 7:

    Chain INPUT (policy DROP)
    num  target    prot opt source              destination
    1    DROP      all  --            state INVALID
    2    ACCEPT    all  --            state RELATED,ESTABLISHED
    3    shlimit   tcp  --            tcp dpt:22 state NEW
    4    shlimit   tcp  --            tcp dpt:21 state NEW
    5    shlimit   tcp  --            tcp dpt:23 state NEW
    6    ACCEPT    all  --  
    7    ACCEPT    all  --  
    8    logaccept udp  --            udp spt:67 dpt:68
    9    logaccept tcp  --            tcp dpt:554
    10   logaccept tcp  --            tcp dpt:21
    I don't think I've added rules 6 and 7 myself. Even though they look like they are ACCEPTing everything an external port scan shows that they are closed. Can anyone explain why this is the case? Is it because I have no services running on the open ports? Isn't it better to not have rules 6 and 7? What is the point of having the same rule twice?

  2. dailyglen

    dailyglen Networkin' Nut Member

    Just to answer my own question you need to use "iptables -nvL" to see that rule 6 and 7 are for accepting connections originating from within your LAN. The (v)erbose switch will show you this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice