search

ldx / python-iptables

Python bindings for iptables
730 stars 182 forks source link

Setting chain policy not reflected in iptables output, but it does work. #297

Closed drb80 closed 4 years ago

drb80 commented 4 years ago

The following does work:

chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT")
policy = iptc.Policy("DROP")
chain.set_policy(policy)

and I can tell via:

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

But this isn't reflected in the output of the iptables command:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Machine:

Linux osboxes 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

I'm happy that it works, but just want to make sure this is the expected behavior. Thanks for all the work on this!

jllorente commented 4 years ago

Hi Steve,

Shouldn’t the policy be DROP instead of REJECT?

What’s the output of “iptables-save” after you run that script?

On Thu, 23 Jan 2020 at 20:35, Steve Beaty notifications@github.com wrote:

The following does work:

chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT") policy = iptc.Policy("REJECT") chain.set_policy(policy)

and I can tell via:

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted

But this isn't reflected in the output of the iptables command:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy DROP) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Machine:

Linux osboxes 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

I'm happy that it works, but just want to make sure this is the expected behavior. Thanks for all the work on this!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ldx/python-iptables/issues/297?email_source=notifications&email_token=AALAJCKCQINJWY3C3JT54MLQ7HWRPA5CNFSM4KK324AKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IIK4NPA, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALAJCIYXDCNNW2PRXDY6DTQ7HWRPANCNFSM4KK324AA .

drb80 commented 4 years ago 
You’re absolutely right, I did make is DROP but my copy and paste was bad :-(  I’ll fix it in the question. I still didn’t see the change in the iptables command line.

Thanks!

On Jan 23, 2020, at 12:39 PM, Jesus Llorente notifications@github.com wrote:

Hi Steve,

Shouldn’t the policy be DROP instead of REJECT?

What’s the output of “iptables-save” after you run that script?

On Thu, 23 Jan 2020 at 20:35, Steve Beaty notifications@github.com wrote:

The following does work:

chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT") policy = iptc.Policy("REJECT") chain.set_policy(policy)

and I can tell via:

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted

But this isn't reflected in the output of the iptables command:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy DROP) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Machine:

Linux osboxes 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

I'm happy that it works, but just want to make sure this is the expected behavior. Thanks for all the work on this!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ldx/python-iptables/issues/297?email_source=notifications&email_token=AALAJCKCQINJWY3C3JT54MLQ7HWRPA5CNFSM4KK324AKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IIK4NPA, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALAJCIYXDCNNW2PRXDY6DTQ7HWRPANCNFSM4KK324AA .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

-- Steve Beaty, Professor, MSU Denver Computer Science

Only the educated are free. Epictetus

drb80 commented 4 years ago 
..and I just found the issue…

Debian now defaults to nftables with iptables-legacy being used for backwards compatibility. If I run iptables-legacy I do see the DROP.

I’ll followup to my question. Thanks much!

-- Steve Beaty, Professor, MSU Denver Computer Science

The mind is not a vessel to be filled, but a fire to be kindled — Plutarch

drb80 commented 4 years ago

Mystery solved...