[ale] Gory-detail Q: iptables rule not obvious when listed
John Mills
johnmills at speakeasy.net
Tue Oct 28 09:12:14 EST 2003
Bob - thanks for the information.
On Tue, 28 Oct 2003, Bob Toxen wrote:
> On Sat, Oct 25, 2003 at 01:05:49PM -0400, John Mills wrote:
> > Q1) In the second-to-last line of the listing, I expected to see a
> > reflection to my source qualifier "-s ! ppp+". Should I see something
> > like that?
> Yup. That is the problem. Enter the line by hand and see if an
> error is generated. Check the order of parameters. Try adding that
> rule (just for testing) directly to the FORWARD chain and see if it
> appears correct. Send some packets around and then do:
> iptables -L -n -v --line-numbers
> and check the packet counts for each rule. Analyze.
OK - I'll try that.
I ran 'nmap' and 'Shields Up' against the IP reported for the PPP login,
and things _did_ seem to be tight. I'll try to see the action directly
this way.
> > Q2) I set up my script to "Insert" (-I) my filter 'block' as the first
> > line of the targets INPUT and FORWARD, but the HOWTO used "Append"
> > (-A). Was I right to use '-I'?
> That depends on what order you want the rules in. The default is to
> use -A to add rules to the end of the list and generally to put in blocking
> rules before allow rules.
Thanks. If I understand, I flow down the rules for (say) an incoming
packet, and act when one rule is matched, to DROP or whatever. What is the
role of the "Policy" setting?
Thanks.
- John Mills
john.m.mills at alum.mit.edu
More information about the Ale
mailing list