From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: Policy Misunderstanding: RTFM Guidance Requested.
Date: Wed, 01 Sep 2004 12:50:58 -0400 [thread overview]
Message-ID: <1094057457.1824.11.camel@wolfpack.ljm.dom> (raw)
In-Reply-To: <8ca4228204090108466549b5f3@mail.gmail.com>
On Wed, 2004-09-01 at 11:46, Mike wrote:
> Hi Deepak,
>
> Thank you for your response.
>
> On Wed, 1 Sep 2004 09:27:22 -0400, Deepak Seshadri
> <dseshadri@broadbandmaritime.com> wrote:
> >
> > If the default policy on your mangle & Nat chain is set to DROP & if you
> > have no rules to classify traffic in these tables, all your packets will get
> > dropped here. They will not make it to the FILTER table.
>
> This is a good point and shows where maybe I am starting to MIS-understand.
>
> 1. Can appended rules override default polices?
yes--for example:
iptables -P INPUT DROP
iptables -A INPUT -j ACCEPT
will accept all traffic in the INPUT chain. the POLICY of a chain is
only enforced when a packet reaches the last rule in that chain and
hasn't matched any rules.
> 2. Do you need to include appended rules to parts of the iptables
> chain that you are not using, or else all the packets will get
> dropped? For example, do you have to set Mangle rules even if you are
> not using any Mangling but have set a DROP policy for mangling.
if you set the policies of the mangle chains to DROP and then do not
append any rules, you can be pretty sure that no traffic will get
through.
i'd recommend against starting your netfilter adventure by setting the
policies of nat & mangle chains to DROP. it will make it a very short
trip...
-j
--
Jason Opperisano <opie@817west.com>
next prev parent reply other threads:[~2004-09-01 16:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-01 1:01 Mail Server Behind IPTABLES Ajen Diwakar
2004-09-01 4:22 ` George Alexandru Dragoi
2004-09-01 11:54 ` Policy Misunderstanding: RTFM Guidance Requested Mike
2004-09-01 13:27 ` Deepak Seshadri
2004-09-01 15:46 ` Mike
2004-09-01 16:50 ` Jason Opperisano [this message]
2004-09-01 17:53 ` Mike
2004-09-01 17:38 ` Deepak Seshadri
2004-09-01 16:40 ` Mike
2004-09-01 14:44 ` Alistair Tonner
2004-09-01 16:20 ` Mike
2004-09-01 16:53 ` Alistair Tonner
2004-09-01 18:12 ` Mike
2004-09-01 16:43 ` Jason Opperisano
2004-09-01 14:50 ` Mail Server Behind IPTABLES Alistair Tonner
[not found] ` <1094054540.5456.16.camel@matevz.net>
2004-09-01 16:27 ` Alistair Tonner
2004-09-01 18:12 ` Matevz
2004-09-01 18:19 ` Jason Opperisano
2004-09-01 18:25 ` Jason Opperisano
2004-09-01 18:23 ` Alistair Tonner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1094057457.1824.11.camel@wolfpack.ljm.dom \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.