current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
up vote 3 down vote favorite

Preface

Just like everything in Linux I'm sure there are a lot of ways to get an intended result with iptables. I'd like to limit answers to the following categories:

  1. What is the difference between the options?
  2. Which option is best (or are they the same)?
  3. Why do you prefer one over the other?

And please be clear what category you are speaking to. It's okay to state preferences, but don't imply that it is best.

e.g.

I prefer to put --jump as the first argument because I think it reads better to have the intent first and I like to vertically align like arguments of multiple commands.

Question

Is one of these better than the other?

iptables -I INPUT --jump ACCEPT --in-interface lo
iptables -I INPUT --jump ACCEPT --source localhost

Is one of these better than the other?

iptables -A INPUT --jump REJECT
iptables -P INPUT REJECT
share|improve this question
up vote 7 down vote

In both cases, the two iptables commands you are comparing have different semantics and behave differently to each other. It's not necessarily a matter of which is "best" but of what behavior you are trying to match or provide.

First:

iptables -I INPUT --jump ACCEPT --in-interface lo
iptables -I INPUT --jump ACCEPT --source localhost

The first of these accepts all local traffic, on the lo interface, regardless of its IP address. The second one accepts all traffic from 127.0.0.1, regardless of what interface it arrives on.

In this case the first one is clearly better. In the first case, local traffic doesn't necessarily use 127.0.0.1 as its IP address but you probably want to accept it, (the best known of these is Debian's odd 127.0.1.1, but it's possible for global IP addresses to be attached to lo) and in the second case, someone could send you spoofed packets with 127.0.0.1 as its source address and you probably don't want to accept that.

Second:

iptables -A INPUT --jump REJECT
iptables -P INPUT REJECT

These are usually functionally identical, except:

When someone adds more rules to the end of the INPUT chain, the rules will not have any effect. The archives here have numerous examples of people confused by this. So you might want to use the second form.

The chain policy can't accept arguments, but the REJECT target does accept arguments. If you want to specify the reject reason, or want to give different reject reasons in different circumstances, you must use the first form (see the iptables-extensions man page for the list of reject reasons).

share|improve this answer
    
Excellent explanation. I'm really glad I decided to ask this. For the first question, I figured that was the case (though I hadn't considered spoofing). For the second question, I have read dozens of references and never gotten that. – Bruno Bronosky 6 hours ago
    
iptables is probably unique among firewalls in that it evaluates rules in the order in which they appear. If you're accustomed to this, it's no problem. But it's quite a surprise to anyone accustomed to virtually every other firewall out there. – Michael Hampton 6 hours ago
up vote 0 down vote

Regarding preference, I setup iptables such that it is easy to manage & difficult to mismanage.

  1. For non-meaningful formatting, I prefer to note down my rules in such order, that I can most easily verify firewall status regardless how simple the tool used. Examining changes should be as trivial as diff -wu <(iptables-save | egrep -v ^#) <(egrep -v ^# rules.v4)

  2. When two similar approaches under common configurations result in the same behaviour, I choose the one that will express what I really meant even under uncommon configurations. Hence I prefer -A INPUT -i lo -J ACCEPT over -A INPUT -s localhost -J ACCEPT because the latter comes with an assumption (that in a sane setup, no other interface could receive such packet)

  3. When 2 restrictions mean the same thing, I choose either both or the one that cannot be unintentionally lifted. While the rule -A INPUT -j REJECT can be -Replaced, such mistake would not affect chain policy like -P INPUT REJECT

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.