* clearing basics: semi-OT
@ 2003-04-10 8:06 Payal Rathod
2003-04-10 14:21 ` Joel Newkirk
2003-04-10 15:21 ` Kim Jensen
0 siblings, 2 replies; 5+ messages in thread
From: Payal Rathod @ 2003-04-10 8:06 UTC (permalink / raw)
To: netfilter
Hi,
I am trying to clear some of my basics. I am reading IP-Masquerading HOWTO.
In it these things were mentioned,
UNIVERSE="0.0.0.0/0"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
What exactly does 0.0.0.0/0 mean? And why should we be concerned with
it? And what is the use of rule given after it?
INTNET="192.168.1.0/24"
INTIP="192.168.1.1/24"
The first one means the entire network of 192.168.1.x? What exactly is
the second one. Does it just means 192.168.1.1 then why "/24"?
And lastly,
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j DROP
Why was this rule made? And why was it "dropped"? What is the logic
behind this? Shouldn't it be,
$IPTABLES -P drop-and-log-it DROP
Thanks a lot for the patience and bye.
With warm regards,
-Payal
p.s please make a cc to me too.
--
"Visit GNU/Linux Success Stories"
www.geocities.com/rpayal99
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: clearing basics: semi-OT
2003-04-10 8:06 clearing basics: semi-OT Payal Rathod
@ 2003-04-10 14:21 ` Joel Newkirk
2003-04-14 13:50 ` Payal Rathod
2003-04-10 15:21 ` Kim Jensen
1 sibling, 1 reply; 5+ messages in thread
From: Joel Newkirk @ 2003-04-10 14:21 UTC (permalink / raw)
To: Payal Rathod; +Cc: netfilter
On Thu, 2003-04-10 at 04:06, Payal Rathod wrote:
> Hi,
> I am trying to clear some of my basics. I am reading IP-Masquerading HOWTO.
> In it these things were mentioned,
>
> UNIVERSE="0.0.0.0/0"
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
> What exactly does 0.0.0.0/0 mean? And why should we be concerned with
> it? And what is the use of rule given after it?
The important part here is the /0, which means that NO bits of the
preceding IP are significant. That means this will match any address.
The second rule deals with the lo interface, local loopback. This rule
lets the box talk to itself as much as it wants with any IP. (although
actually 127.0.0.1 is the standard, and 127.0.0.0/8 is the valid range)
> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"
>
> The first one means the entire network of 192.168.1.x? What exactly is
> the second one. Does it just means 192.168.1.1 then why "/24"?
First one - yep. Second one means precisely the same thing. It should
probably be 192.168.1.1/32, or with no mask at all, and is probably
intended to be used to indicate the IP of the internal (LAN-facing)
interface.
> And lastly,
>
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j DROP
>
> Why was this rule made? And why was it "dropped"? What is the logic
> behind this? Shouldn't it be,
> $IPTABLES -P drop-and-log-it DROP
-N makes a new chain, and the -A adds a DROP rule to it. -P policy
isn't valid for a custom chain, only the built-in chains. The logic
here is that you could use
$IPTABLES -I drop-and-log-it 1 -j LOG
and then everything would be logged before dropping. More useful would
be to use a --log-prefix to identify where the DROP came from, IE if it
was INPUT, OUTPUT, FORWARD, etc, and WHY it was dropped, but that would
mean individual LOG rules for each case. (Or, log in the originating
chain... which defeats the concept of _LOG_ and drop...)
>
> Thanks a lot for the patience and bye.
> With warm regards,
> -Payal
>
> p.s please make a cc to me too.
j
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: clearing basics: semi-OT
2003-04-10 14:21 ` Joel Newkirk
@ 2003-04-14 13:50 ` Payal Rathod
0 siblings, 0 replies; 5+ messages in thread
From: Payal Rathod @ 2003-04-14 13:50 UTC (permalink / raw)
To: netfilter
On Thu, Apr 10, 2003 at 10:21:14AM -0400, Joel Newkirk wrote:
> The important part here is the /0, which means that NO bits of the
> preceding IP are significant. That means this will match any address.
[...]
Got it.
Thanks a lot for all the help. I have written some firewall rules which
I will post to the list in other mail. Please have a look at them.
Regards,
-Payal
--
"Visit GNU/Linux Success Stories"
www.geocities.com/rpayal99
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: clearing basics: semi-OT
2003-04-10 8:06 clearing basics: semi-OT Payal Rathod
2003-04-10 14:21 ` Joel Newkirk
@ 2003-04-10 15:21 ` Kim Jensen
1 sibling, 0 replies; 5+ messages in thread
From: Kim Jensen @ 2003-04-10 15:21 UTC (permalink / raw)
To: Payal Rathod, netfilter
On Thursday 10 April 2003 10:06, Payal Rathod wrote:
> Hi,
> I am trying to clear some of my basics. I am reading IP-Masquerading HOWTO.
> In it these things were mentioned,
>
> UNIVERSE="0.0.0.0/0"
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
> What exactly does 0.0.0.0/0 mean? And why should we be concerned with
> it? And what is the use of rule given after it?
>
0.0.0.0/0 means everybody!
The rule is saying that everything from and to the localhost should be
accepted - in general a very good thing, unless you know what you are doing!
> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"
>
> The first one means the entire network of 192.168.1.x? What exactly is
> the second one. Does it just means 192.168.1.1 then why "/24"?
> And lastly,
>
The 192.168.1.0/24 means: everything from 192.168.1.0 to 192.168.1.255. The
/24 is part of the mask, read
http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.txt.
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j DROP
>
> Why was this rule made? And why was it "dropped"? What is the logic
> behind this? Shouldn't it be,
> $IPTABLES -P drop-and-log-it DROP
>
There is no default chain called drop-and-log-it, which is why you make a
custom chain. A better version would be:
$IPTABLES -N drop-and-log-it
$IPTABLES -F drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG
$IPTABLES -A drop-and-log-it -j DROP
The first line creates a new chain (-N) with the name drop-and-log-it. The
second line (-F) flushes the new chain in case you already have this chain
running. The third lines appends a rule which logs everything and finally the
fourth line drops the packets.
/Kim
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: clearing basics: semi-OT
@ 2003-04-10 14:17 dhiraj.2.bhuyan
0 siblings, 0 replies; 5+ messages in thread
From: dhiraj.2.bhuyan @ 2003-04-10 14:17 UTC (permalink / raw)
To: linux, netfilter
Answers inline -
> Hi,
> I am trying to clear some of my basics. I am reading IP-Masquerading
HOWTO.
> In it these things were mentioned,
> UNIVERSE="0.0.0.0/0"
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> What exactly does 0.0.0.0/0 mean? And why should we be concerned with
sending 0.0.0.0 is a standard way of asking for a dhcp address.
> it? And what is the use of rule given after it?
read iptables manpage (-i interface -s source -d destination)
> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"
> The first one means the entire network of 192.168.1.x? What exactly is
> the second one. Does it just means 192.168.1.1 then why "/24"?
192.168.1.0/24 is the subnet (/24 is the subnet mast - can also be
represented by 255.255.255.0)
similarly the 192.168.1.1/24
> And lastly,
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j DROP
-N adds a new chain
-A appends a rule
> Why was this rule made? And why was it "dropped"? What is the logic
> behind this? Shouldn't it be,
> $IPTABLES -P drop-and-log-it DROP
Can't see any logic unless you show how this chain is hooked to the default
chains.
> Thanks a lot for the patience and bye.
> With warm regards,
> -Payal
> p.s please make a cc to me too.
dhiraj
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-04-14 13:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-10 8:06 clearing basics: semi-OT Payal Rathod
2003-04-10 14:21 ` Joel Newkirk
2003-04-14 13:50 ` Payal Rathod
2003-04-10 15:21 ` Kim Jensen
-- strict thread matches above, loose matches on Subject: below --
2003-04-10 14:17 dhiraj.2.bhuyan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.