Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
REJECT target not as policy
lists at bertram-scharpf
Aug 20, 2007, 6:52 AM
Post #1 of 8 (5673 views)
Permalink
Hi,


on one of my machines the REJECT target doesn't behave as I
expect. It is inserted into a chain but it is not accepted
as a policy.

myhost ~ # iptables -L
Chain INPUT (policy DROP 2 packets, 116 bytes)
pkts bytes target prot opt in out source destination
...
0 0 REJECT tcp -- any any anywhere anywhere ...
...

But:

myhost ~ # iptables -v -t filter -P INPUT REJECT
iptables: Bad policy name


How comes this? I guess it is a kernel option I have to
change. But which?

Thanks in advance,

Bertram


--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
Re: REJECT target not as policy [ In reply to ]
r.laban at ism
Aug 20, 2007, 7:08 AM
Post #2 of 8 (5503 views)
Permalink
On Monday 20 August 2007, Bertram Scharpf wrote:
> on one of my machines the REJECT target doesn't behave as I
> expect. It is inserted into a chain but it is not accepted
> as a policy.
>
> myhost ~ # iptables -L
> Chain INPUT (policy DROP 2 packets, 116 bytes)
> pkts bytes target prot opt in out source
> destination ...
> 0 0 REJECT tcp -- any any anywhere
> anywhere ... ...
>
> But:
>
> myhost ~ # iptables -v -t filter -P INPUT REJECT
> iptables: Bad policy name
>
>
> How comes this? I guess it is a kernel option I have to
> change. But which?

The REJECT target is only valid when either the tcp or udp module is loaded.
Hence it cannot be used as a policy.

HTH
--
Ruben
Re: REJECT target not as policy [ In reply to ]
pascal.mail at plouf
Aug 20, 2007, 8:52 AM
Post #3 of 8 (5512 views)
Permalink
Hello,

Ruben Laban a écrit :
> On Monday 20 August 2007, Bertram Scharpf wrote:
>
>>on one of my machines the REJECT target doesn't behave as I
>>expect. It is inserted into a chain but it is not accepted
>>as a policy.

It behaves as expected. REJECT is an extension, not a built-in target,
and cannot be used as a policy. Check man iptables.

> The REJECT target is only valid when either the tcp or udp module is loaded.

AFAIK, REJECT is not dependant on tcp or udp and can be used with any
protocol. Only the "--reject-with tcp-reset" option can be used only
with tcp.
Re: REJECT target not as policy [ In reply to ]
lists at bertram-scharpf
Aug 20, 2007, 10:46 AM
Post #4 of 8 (5493 views)
Permalink
Hi,

Am Montag, 20. Aug 2007, 17:52:02 +0200 schrieb Pascal Hambourg:
> Ruben Laban a écrit :
>> On Monday 20 August 2007, Bertram Scharpf wrote:
>>> on one of my machines the REJECT target doesn't behave as I
>>> expect. It is inserted into a chain but it is not accepted
>>> as a policy.
>
> It behaves as expected. REJECT is an extension, not a built-in target, and
> cannot be used as a policy. Check man iptables.

I wrote "as _I_ expect". Obviously I expected wrong. Now, I
found it in the manpage.

On an other list I was told it were a good idea to set
REJECT as policy. I'm so glad that I asked here. Thank you.

Bertram


--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
Re: REJECT target not as policy [ In reply to ]
pascal.mail at plouf
Aug 20, 2007, 11:43 AM
Post #5 of 8 (5502 views)
Permalink
Bertram Scharpf a écrit :
>
> On an other list I was told it were a good idea to set
> REJECT as policy.

I could be a good idea if it was possible. Maybe the person who told you
mixed up iptables and ipchains, its "predecessor" for 2.2 kernels. IIRC
ipchains allowed REJECT as a policy.
RE: REJECT target not as policy [ In reply to ]
rob at sterenborg
Aug 20, 2007, 12:11 PM
Post #6 of 8 (5495 views)
Permalink
>> On an other list I was told it were a good idea to set
>> REJECT as policy.
>
> I could be a good idea if it was possible. Maybe the person who told
> you mixed up iptables and ipchains, its "predecessor" for 2.2
> kernels. IIRC ipchains allowed REJECT as a policy.

You could emulate a REJECT policy by having this as the very last rules:

$ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$ipt -A INPUT -j REJECT

(I thought it was like this..)
But, if you dynamically add rules then you have to take care of at/from
which position you insert/delete them.
Re: REJECT target not as policy [ In reply to ]
pascal.mail at plouf
Aug 20, 2007, 1:27 PM
Post #7 of 8 (5499 views)
Permalink
Rob Sterenborg a écrit :
>
> You could emulate a REJECT policy by having this as the very last rules:
>
> $ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> $ipt -A INPUT -j REJECT
>
> (I thought it was like this..)

What was like what ?

> But, if you dynamically add rules then you have to take care of at/from
> which position you insert/delete them.

A user-defined chain comes in handy. Jump into it before the REJECT
rules and add the dynamic rules in it.

iptables -N input
iptables -A INPUT -j input
iptables -A INPUT -j REJECT

iptables -A input blah...
RE: REJECT target not as policy [ In reply to ]
rob at sterenborg
Aug 20, 2007, 10:26 PM
Post #8 of 8 (5490 views)
Permalink
>> You could emulate a REJECT policy by having this as the very last
>> rules:
>>
>> $ipt -A INPUT -p tcp -j REJECT --reject-with tcp-reset
>> $ipt -A INPUT -j REJECT
>>
>> (I thought it was like this..)
>
> What was like what ?

Emulating a REJECT policy. If I'm not mistaken a closed tcp port
responds with tcp-reset and others with icmp-port-unreachable (REJECT's
default).
If the OP was told to set a REJECT policy, I think it would have been
with this in mind.

>> But, if you dynamically add rules then you have to take care of
>> at/from which position you insert/delete them.
>
> A user-defined chain comes in handy. Jump into it before the REJECT
> rules and add the dynamic rules in it.
>
> iptables -N input
> iptables -A INPUT -j input
> iptables -A INPUT -j REJECT
>
> iptables -A input blah...

Yes, I that's how I would do it.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal