* a small quick and dirty solution
@ 2003-08-12 7:57 Payal Rathod
2003-08-12 10:58 ` anantharaman.iyer
2003-08-12 10:59 ` anantharaman.iyer
0 siblings, 2 replies; 4+ messages in thread
From: Payal Rathod @ 2003-08-12 7:57 UTC (permalink / raw)
To: Netfilter ML
Hi,
I am on a linux box (mdk 9.1) which is connected to net. I want to allow
internal windows machine 192.68.10.x to browse the net and anything
(NAT). But
nobody should be allowed to access any port from outside the LAN. Except
for ftp services on port 21.
I have a problem understanding the default DROP policy and then opening
required ports. Can someone give an example on this please?
Thanks a lot in advance and bye.
With warm regards,
-Payal
--
For GNU/Linux Success Stories and Articles visit:
http://payal.staticky.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: a small quick and dirty solution
2003-08-12 7:57 a small quick and dirty solution Payal Rathod
@ 2003-08-12 10:58 ` anantharaman.iyer
2003-08-12 10:59 ` anantharaman.iyer
1 sibling, 0 replies; 4+ messages in thread
From: anantharaman.iyer @ 2003-08-12 10:58 UTC (permalink / raw)
To: Payal Rathod, Netfilter ML
hello payal,
Generally the default policy of any firewall is kept as "Default Deny" and
then the administrator can open up the required ports. So any packet hitting
the firewall, it is examined against the ruleset base and if there is any
entry in the rules matching with that of the packet (for. eg.: the source ip
source port and the destination ip destination and also the mentioned
service). In the event when none of the existing ruleset is found to be
matching, then the firewall takes the action depending on the default rule,
which in most of the cases is DROP.
The definition of the DROP policy as per the tutorials on the netfilter site
is as below
"The DROP target does just what it says, it drops packets dead and will not
carry out any further processing. A packet that matches a rule perfectly and
is then Dropped will be blocked. Note that this action might in certain
cases have an unwanted effect, since it could leave dead sockets around on
either host. A better solution in cases where this is likely would be to use
the REJECT target, especially when you want to block port scanners from
getting too much information, such on as filtered ports and so on. Also note
that if a packet has the DROP action taken on it in a subchain, the packet
will not be processed in any of the main chains either in the present or in
any other table. The packet is in other words totally dead. As we've seen
previously, the target will not send any kind of information in either
direction, nor to intermediaries such as routers."
For further reference there is the link of that site
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
For any further clarifications, do let me know.
Regards
Iyer Anantharaman
Senior Infosec Consultant
On Tue, 12 Aug 2003 07:57:52 +0000, Payal Rathod wrote
> Hi,
> I am on a linux box (mdk 9.1) which is connected to net. I want to allow
> internal windows machine 192.68.10.x to browse the net and anything
> (NAT). But
> nobody should be allowed to access any port from outside the LAN. Except
> for ftp services on port 21.
> I have a problem understanding the default DROP policy and then opening
> required ports. Can someone give an example on this please?
>
> Thanks a lot in advance and bye.
> With warm regards,
> -Payal
>
> --
> For GNU/Linux Success Stories and Articles visit:
> http://payal.staticky.com
--
Open WebMail Project (http://openwebmail.org)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: a small quick and dirty solution
2003-08-12 7:57 a small quick and dirty solution Payal Rathod
2003-08-12 10:58 ` anantharaman.iyer
@ 2003-08-12 10:59 ` anantharaman.iyer
2003-08-14 6:51 ` Payal Rathod
1 sibling, 1 reply; 4+ messages in thread
From: anantharaman.iyer @ 2003-08-12 10:59 UTC (permalink / raw)
To: Payal Rathod, Netfilter ML
hello payal,
Generally the default policy of any firewall is kept as "Default Deny" and
then the administrator can open up the required ports. So any packet hitting
the firewall, it is examined against the ruleset base and if there is any
entry in the rules matching with that of the packet (for. eg.: the source ip
source port and the destination ip destination and also the mentioned
service). In the event when none of the existing ruleset is found to be
matching, then the firewall takes the action depending on the default rule,
which in most of the cases is DROP.
The definition of the DROP policy as per the tutorials on the netfilter site
is as below
"The DROP target does just what it says, it drops packets dead and will not
carry out any further processing. A packet that matches a rule perfectly and
is then Dropped will be blocked. Note that this action might in certain
cases have an unwanted effect, since it could leave dead sockets around on
either host. A better solution in cases where this is likely would be to use
the REJECT target, especially when you want to block port scanners from
getting too much information, such on as filtered ports and so on. Also note
that if a packet has the DROP action taken on it in a subchain, the packet
will not be processed in any of the main chains either in the present or in
any other table. The packet is in other words totally dead. As we've seen
previously, the target will not send any kind of information in either
direction, nor to intermediaries such as routers."
For further reference there is the link of that site
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
For any further clarifications, do let me know.
Regards
Iyer Anantharaman
Senior Infosec Consultant
On Tue, 12 Aug 2003 07:57:52 +0000, Payal Rathod wrote
> Hi,
> I am on a linux box (mdk 9.1) which is connected to net. I want to allow
> internal windows machine 192.68.10.x to browse the net and anything
> (NAT). But
> nobody should be allowed to access any port from outside the LAN. Except
> for ftp services on port 21.
> I have a problem understanding the default DROP policy and then opening
> required ports. Can someone give an example on this please?
>
> Thanks a lot in advance and bye.
> With warm regards,
> -Payal
>
> --
> For GNU/Linux Success Stories and Articles visit:
> http://payal.staticky.com
--
Open WebMail Project (http://openwebmail.org)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: a small quick and dirty solution
2003-08-12 10:59 ` anantharaman.iyer
@ 2003-08-14 6:51 ` Payal Rathod
0 siblings, 0 replies; 4+ messages in thread
From: Payal Rathod @ 2003-08-14 6:51 UTC (permalink / raw)
To: anantharaman.iyer; +Cc: Netfilter ML
On Tue, Aug 12, 2003 at 04:29:14PM +0530, anantharaman.iyer wrote:
> Generally the default policy of any firewall is kept as "Default Deny" and
> then the administrator can open up the required ports. So any packet hitting
[...]
Ok. Great. Then does this mean,
$IPTABLES -A INPUT -p tcp -s 0/0 -d $STATIC_IP --dport 21 -j ACCEPT
$IPTABLES -P INPUT DROP
that all connection except to port 21 of external ip are not allowed.
Also should default rule be kept first or last as I have done below?
Or does it not matter in my case?
Thanks a lot for the explanation and bye.
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-08-14 6:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-12 7:57 a small quick and dirty solution Payal Rathod
2003-08-12 10:58 ` anantharaman.iyer
2003-08-12 10:59 ` anantharaman.iyer
2003-08-14 6:51 ` Payal Rathod
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.