Bug 20543 - ipchains bug - some DENY rules ignored
Summary: ipchains bug - some DENY rules ignored
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ipchains   
(Show other bugs)
Version: 7.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-11-08 23:03 UTC by Robin Green
Modified: 2007-04-18 16:29 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-11-09 14:16:57 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Robin Green 2000-11-08 23:03:20 UTC
I need to block all machines except localhost from connecting to a process
on port 8083 (or whatever port - that can be changed). The command below
has no noticeable effect (except that the rule appears in ipchains -L as
shown below) - I tested it using lynx from a remote machine.

[root@ega051000009 servlet]# ipchains -A input -s ! localhost 8083 -p tcp
[root@ega051000009 servlet]# ipchains -L -v
Chain input (policy ACCEPT: 736517 packets, 144288874 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark      
outsize  source                destination           ports
    0     0 DENY       tcp  ------ 0xFF 0x00  any                          
!ega051000009         anywhere              8083 ->   any
Chain forward (policy ACCEPT: 0 packets, 0 bytes):
Chain output (policy ACCEPT: 7610 packets, 1530999 bytes):        

However, blocking only localhost _does_ work!

[root@ega051000009 servlet]# ipchains -A input -s localhost 8083 -p tcp -j

Config: Redhat 7.0, stock kernel, 
[root@ega051000009 servlet]# rpm -q -f /sbin/ipchains

Comment 1 Jarno Huuskonen 2000-11-09 11:01:30 UTC
I think you have the ipchains deny rule wrong. Try this one
ipchains -A input -s ! localhost --dport 8083 -p tcp -j DENY

Notice the --dport. I think without the --dport your original rule blocks
only if the source port is 8083 ...


PS. if the above rule works better this is notabug

Comment 2 Robin Green 2000-11-09 14:16:55 UTC
It does, thanks! Sorry for being a time-waster.

Note You need to log in before you can comment on or make changes to this bug.