IpTables Question
Michael Butash
michael at butash.net
Mon Jun 4 23:43:07 MST 2012
Looks like it's deferring "everything" sending to another chain, like a
sub grouping, where it allows tcp/4643 for management, or moves on with
the rest of the main input chain tree for the tcp/80 allows. Object
oriented acl's, not unlike object-group's in cisco or most firewall
platforms. It's easiest for them to maintain another list of
"management" protocols as a separate chain programatically as that
*should* always be present to at least restore usability from a
base-build. This is usually some blend of secure administration and
usability on a canned vps build.
They assume so long as you don't delete that management chain getting
frisky, you can get in and click a "magic reprovision and make go"
button to restore new if you screw it up that bad. Anything user-added
provision by default not setting the other specific chain just add to
the main input chain past that for parsing allows normally.
-mb
On 06/04/2012 04:59 PM, AZ Pete wrote:
> Hi All,
>
> I'm in the process of setting up a new Virtual Private Server and am
> using Plesk to configure to firewall (among other things).
>
> I have the firewall configured how I want it within Plesk. However, when
> I SSH into the box and list the firewall rules (using iptables -L -n) I
> get way more rules than I setup within Plesk. I'm thinking that there
> must be several rules that were there beforehand as default from the
> hosting provider. One thing I do notice, however, is that for a given
> chain (in this case Input chain) the very first rule is:
> -A INPUT -j VZ_INPUT
>
> The INPUT chain looks something like this (as given by iptables -L -n):
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> VZ_INPUT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT tcp -- 190.93.240.0/20 0.0.0.0/0 tcp dpt:80
> ACCEPT tcp -- 108.162.192.0/18 0.0.0.0/0 tcp dpt:80
>
> blah, blah.....
>
> Chain VZ_INPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4643
> ... all the rest of the rules I entered in Plesk....
>
> VZ_INPUT is a user-defined rule that Plesk puts in and that chain has
> all the rules I entered in the Plesk panel.
> My question is: if the above VZ_INPUT rule is the very first rule in the
> INPUT chain, does that mean for all input packets jump to the VZ_INPUT
> chain and process those rules, thus bypassing all the other inputs?
>
> The same sort of layout is also present for the OUTPUT & FORWARD chains.
>
> Any thoughts are appreciated.
> Thanks,
> Peter
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list