IpTables Question

Michael Butash michael at butash.net
Mon Jun 4 23:43:07 MST 2012


Looks like it's deferring "everything" sending to another chain, like a 
sub grouping, where it allows tcp/4643 for management, or moves on with 
the rest of the main input chain tree for the tcp/80 allows.  Object 
oriented acl's, not unlike object-group's in cisco or most firewall 
platforms.  It's easiest for them to maintain another list of 
"management" protocols as a separate chain programatically as that 
*should* always be present to at least restore usability from a 
base-build.  This is usually some blend of secure administration and 
usability on a canned vps build.

They assume so long as you don't delete that management chain getting 
frisky, you can get in and click a "magic reprovision and make go" 
button to restore new if you screw it up that bad.  Anything user-added 
provision by default not setting the other specific chain just add to 
the main input chain past that for parsing allows normally.

-mb



On 06/04/2012 04:59 PM, AZ Pete wrote:
> Hi All,
>
> I'm in the process of setting up a new Virtual Private Server and am
> using Plesk to configure to firewall (among other things).
>
> I have the firewall configured how I want it within Plesk. However, when
> I SSH into the box and list the firewall rules (using iptables -L -n) I
> get way more rules than I setup within Plesk. I'm thinking that there
> must be several rules that were there beforehand as default from the
> hosting provider. One thing I do notice, however, is that for a given
> chain (in this case Input chain) the very first rule is:
> -A INPUT -j VZ_INPUT
>
> The INPUT chain looks something like this (as given by iptables -L -n):
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> VZ_INPUT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT tcp -- 190.93.240.0/20 0.0.0.0/0 tcp dpt:80
> ACCEPT tcp -- 108.162.192.0/18 0.0.0.0/0 tcp dpt:80
>
> blah, blah.....
>
> Chain VZ_INPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4643
> ... all the rest of the rules I entered in Plesk....
>
> VZ_INPUT is a user-defined rule that Plesk puts in and that chain has
> all the rules I entered in the Plesk panel.
> My question is: if the above VZ_INPUT rule is the very first rule in the
> INPUT chain, does that mean for all input packets jump to the VZ_INPUT
> chain and process those rules, thus bypassing all the other inputs?
>
> The same sort of layout is also present for the OUTPUT & FORWARD chains.
>
> Any thoughts are appreciated.
> Thanks,
> Peter
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


More information about the PLUG-discuss mailing list