default iptables settings (merlin 380.59 on rt-ac68u)

[mslight]

running 380.59 on rt-ac68u.
I have firewall enabled. I logged in via ssh and ran iptables -L and was surprised to see the below ACCEPT rules in the input chain. To my novice eyes they direct the firewall to accept new connections from anywhere. Can this be he default iptables settings? It would seem to be contradicted both by the copious number of DROP logs rejecting connection attempts in the system log and by the fact that tests i ran from https://www.grc.com/shieldsup show that no ports were open.

Thanks in advance for your help.


iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
logdrop icmp -- anywhere anywhere icmp echo-request
logdrop all -- anywhere anywhere state INVALID
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
logaccept udp -- anywhere anywhere udp spt:bootps dpt:bootpc
logaccept icmp -- anywhere anywhere icmp !echo-request
logdrop all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
logaccept all -- anywhere anywhere
logaccept all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination
ACCEPT udp -- anywhere Mia udp dpt:19250
ACCEPT tcp -- anywhere Mia tcp dpt:19250

Chain PControls (0 references)
target prot opt source destination
logaccept all -- anywhere anywhere

Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere

Chain logaccept (7 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere

Chain logdrop (9 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "

DROP all -- anywhere anywhere

 

[ColinTaylor]

http://www.snbforums.com/threads/as...meone-accessing-my-network.32068/#post-273416

 

[mslight]

http://www.snbforums.com/threads/as...meone-accessing-my-network.32068/#post-273416

Thank you very much for responding.

do the first 4 lines not mean that every incoming packet will be:
1. checked to see whether it is a ping (in which case log then drop)
2. checked to see whether it is invalid (in which case log then drop)
3. checked to see whether it is part of an already established connection or related to one - in which case log then accept)
4. checked to see whether it is a new connection (in which case accept)

which suggests a packet matching rule 4 will never reach the default policy?

clearly there's something i'm not getting about rule appraisal .....

thanks for your help.

 

[RMerlin]

clearly there's something i'm not getting about rule appraisal .....

You need to view the FULL rule to understand it, not just the summary version:

iptables -L -v

 

[mslight]

You need to view the FULL rule to understand it, not just the summary version:

iptables -L -v

Thank you very much. i see now.