Confusing Rules In The Default Iptables Configuration Under Fedora And RedHat Enterprise Linux
I have seen posts in a number of online forums to the effect that a couple of rules in the default Iptables firewall configuration under Fedora and Redhat Enterprise Linux are causing confusion.
1) Is there a general traffic accept rule?
When the command iptables -L is issued, the output seems to have a line accepting all traffic at the start of the RH-Firewall-1-INPUT chain:
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
The example given is from the default Iptables configuration (if you didn’t select additional options such as Remote Login (SSH) [] etc at the firewall configuration stage of the install).
The answer is simple enough - the rule only really allows all traffic on the loopback interface (lo). You can see this by running either an iptables -L -v or by examining the ruleset itself in /etc/sysconfig/iptables:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
2) A mysterious multicast rule
The following multicast rule appears in the default configuration and a number of people are wondering what it is:
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
The answer, surprisingly enough, is Apple’s Digital Audio Access Protocol (DAAP), a protocol for sharing music across a network, such as is used by iTunes.
Daapd scans a directory for music files (mp3, aac, uncompressed) and makes them available via the Apple proprietary protocol DAAP. DAAP clients can browse the directory and retrieve individual files, either by streaming or by downloading them. The daapd project homepage is located “here”.
I just can’t believe that this rule is in the default “no frills” ruleset.
what about 631, 50 and 51? what are those for?
Comment by Diego — March 14, 2006 @ 2:12 pm
Dear Diego.
50 and 51 are IP protocols (AH and ESP); they have to do with IPSEC. See /etc/protocols.
631 refers to CUPS, the common unix print system. See /etc/services.
James
Comment by James Stephens — March 14, 2006 @ 3:08 pm
Thanks for the good explanation, I was just wondering what is the purpose of this rule
ACCEPT udp — 0.0.0.0/0 224.0.0.251 udp dpt:5353
when I have found this post. Cheers
Comment by nick — December 2, 2006 @ 12:38 pm