Expected behaviour with iptables?

javigus
2012-05-24
2013-03-05
  • javigus
    javigus
    2012-05-24

    Hello,

    I am using Firewall Builder 5.1.0.3599, creating firewall rules for an iptables-based Linux machine.

    I don't know if the following is the expected behaviour or I have done some strange configuration.

    For instance: I try to accept DHCP requests on a number of VLANS from the corresponding interfaces, and the compiler generates the following construction:

        # DHCP allowed for VLANs VLAN_1, VLAN_2, VLAN_3, VLAN_4
        $IPTABLES -N Cid8513X2311.0
        $IPTABLES -A FORWARD -i eth6.103  -p udp -m udp  -m multiport  -dports 68,67  -m state -state NEW  -j Cid8513X2311.0
        $IPTABLES -A Cid8513X2311.0  -s 10.141.12.0/24   -j ACCEPT
        $IPTABLES -A Cid8513X2311.0  -s 10.141.13.0/24   -j ACCEPT
        $IPTABLES -A Cid8513X2311.0  -s 10.141.14.0/24   -j ACCEPT
        $IPTABLES -A Cid8513X2311.0  -s 10.141.15.0/24   -j ACCEPT
        $IPTABLES -A FORWARD -i eth6.104  -p udp -m udp  -m multiport  -dports 68,67  -m state -state NEW  -j Cid8513X2311.1
        $IPTABLES -A Cid8513X2311.1  -s 10.141.12.0/24   -j ACCEPT
        $IPTABLES -A Cid8513X2311.1  -s 10.141.13.0/24   -j ACCEPT
        $IPTABLES -A Cid8513X2311.1  -s 10.141.14.0/24   -j ACCEPT
        $IPTABLES -A Cid8513X2311.1  -s 10.141.15.0/24   -j ACCEPT

    (…)

    I assume this would work, but isn't there a simpler way to do it, without generating the additional chains and targeting them? Or did I just misconfigure something?

    Thank you.

     
  • Vadim Kurland
    Vadim Kurland
    2012-05-24

    this is just an optimization. Compiler builds rules that way to avoid unnecessary matches of source address in case udp port is not 67 or 68.