Bug 20543 - ipchains bug - some DENY rules ignored
ipchains bug - some DENY rules ignored
Product: Red Hat Linux
Classification: Retired
Component: ipchains (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-11-08 18:03 EST by Robin Green
Modified: 2007-04-18 12:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-11-09 09:16:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robin Green 2000-11-08 18:03:20 EST
I need to block all machines except localhost from connecting to a process
on port 8083 (or whatever port - that can be changed). The command below
has no noticeable effect (except that the rule appears in ipchains -L as
shown below) - I tested it using lynx from a remote machine.

[root@ega051000009 servlet]# ipchains -A input -s ! localhost 8083 -p tcp
[root@ega051000009 servlet]# ipchains -L -v
Chain input (policy ACCEPT: 736517 packets, 144288874 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark      
outsize  source                destination           ports
    0     0 DENY       tcp  ------ 0xFF 0x00  any                          
!ega051000009         anywhere              8083 ->   any
Chain forward (policy ACCEPT: 0 packets, 0 bytes):
Chain output (policy ACCEPT: 7610 packets, 1530999 bytes):        

However, blocking only localhost _does_ work!

[root@ega051000009 servlet]# ipchains -A input -s localhost 8083 -p tcp -j

Config: Redhat 7.0, stock kernel, 
[root@ega051000009 servlet]# rpm -q -f /sbin/ipchains
Comment 1 Jarno Huuskonen 2000-11-09 06:01:30 EST
I think you have the ipchains deny rule wrong. Try this one
ipchains -A input -s ! localhost --dport 8083 -p tcp -j DENY

Notice the --dport. I think without the --dport your original rule blocks
only if the source port is 8083 ...


PS. if the above rule works better this is notabug

Comment 2 Robin Green 2000-11-09 09:16:55 EST
It does, thanks! Sorry for being a time-waster.

Note You need to log in before you can comment on or make changes to this bug.