* Iptables rules...
@ 2002-09-07 9:39 Didier Hung Wan Luk
2002-09-07 10:36 ` Antony Stone
2002-09-07 12:15 ` REMOVE FROM LIST. THIS IS SPAM Mike D
0 siblings, 2 replies; 5+ messages in thread
From: Didier Hung Wan Luk @ 2002-09-07 9:39 UTC (permalink / raw)
To: Netfilter Mailing List
Hi All,
I am new to firewall/iptables can someone help me to clear up some concepts about firewalling?
If my default rule for the input chain of my external interface is DROP need I again specify to DROP packets in the INPUT chain of my external interface?
i.e..
#My Default rule
iptables -P INPUT DROP
#Drop all attempts on my ext. interface trough port 6000:6063
iptables -A INPUT -i ppp0 -p tcp --dport 6000:6063 -j DROP
If I am right I think that I need not include a rule again saying to drop packets to my 6000;6063 ports since I do not have a rule saying to accept connections on these ports...
Thanks,
Didier Hung Wan Luk
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Iptables rules...
2002-09-07 9:39 Iptables rules Didier Hung Wan Luk
@ 2002-09-07 10:36 ` Antony Stone
2002-09-07 12:15 ` REMOVE FROM LIST. THIS IS SPAM Mike D
1 sibling, 0 replies; 5+ messages in thread
From: Antony Stone @ 2002-09-07 10:36 UTC (permalink / raw)
To: Netfilter Mailing List
On Saturday 07 September 2002 10:39 am, Didier Hung Wan Luk wrote:
> Hi All,
>
>
> I am new to firewall/iptables can someone help me to clear up some concepts
> about firewalling?
>
> If my default rule for the input chain of my external interface is DROP
> need I again specify to DROP packets in the INPUT chain of my external
> interface?
There is only one INPUT chain. The rules and the default policy apply to
all interfaces.
> #My Default rule
> iptables -P INPUT DROP
>
> #Drop all attempts on my ext. interface trough port 6000:6063
>
> iptables -A INPUT -i ppp0 -p tcp --dport 6000:6063 -j DROP
>
> If I am right I think that I need not include a rule again saying to drop
> packets to my 6000;6063 ports since I do not have a rule saying to accept
> connections on these ports...
If you have a default DROP policy, then you should not (normally) need to
specify any DROP rules. If you do not have a rule ACCEPTing certain
packets, then they will be DROPped by default. That is what the policy is
for.
For example:
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
will drop SMTP traffic on port 25, because there is no rule ACCEPTing it.
These rules will also drop POP3, IMAP, FTP, IDENT....... everything except
HTTP.
Antony.
--
90% of network problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.
^ permalink raw reply [flat|nested] 5+ messages in thread
* REMOVE FROM LIST. THIS IS SPAM
2002-09-07 9:39 Iptables rules Didier Hung Wan Luk
2002-09-07 10:36 ` Antony Stone
@ 2002-09-07 12:15 ` Mike D
2002-09-07 13:39 ` Anders Fugmann
1 sibling, 1 reply; 5+ messages in thread
From: Mike D @ 2002-09-07 12:15 UTC (permalink / raw)
To: Didier Hung Wan Luk, Netfilter Mailing List
----- Original Message -----
From: "Didier Hung Wan Luk" <DidierH@frci.net>
To: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
Sent: Saturday, September 07, 2002 5:39 AM
Subject: Iptables rules...
> Hi All,
>
>
> I am new to firewall/iptables can someone help me to clear up some
concepts about firewalling?
>
> If my default rule for the input chain of my external interface is DROP
need I again specify to DROP packets in the INPUT chain of my external
interface?
>
> i.e..
>
> #My Default rule
> iptables -P INPUT DROP
>
> #Drop all attempts on my ext. interface trough port 6000:6063
>
> iptables -A INPUT -i ppp0 -p tcp --dport 6000:6063 -j DROP
>
> If I am right I think that I need not include a rule again saying to drop
packets to my 6000;6063 ports since I do not have a rule saying to accept
connections on these ports...
>
> Thanks,
>
> Didier Hung Wan Luk
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: REMOVE FROM LIST. THIS IS SPAM
2002-09-07 12:15 ` REMOVE FROM LIST. THIS IS SPAM Mike D
@ 2002-09-07 13:39 ` Anders Fugmann
2002-09-07 16:17 ` Robin Lynn Frank
0 siblings, 1 reply; 5+ messages in thread
From: Anders Fugmann @ 2002-09-07 13:39 UTC (permalink / raw)
To: Mike D; +Cc: Netfilter Mailing List
Please top spamming this list. If you want to unsubscribe, then
go to: http://lists.netfilter.org/mailman/listinfo/netfilter/
Luckily, you just entered my blacklist - Welcome!
Regards
Anders Fugmann
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: REMOVE FROM LIST. THIS IS SPAM
2002-09-07 13:39 ` Anders Fugmann
@ 2002-09-07 16:17 ` Robin Lynn Frank
0 siblings, 0 replies; 5+ messages in thread
From: Robin Lynn Frank @ 2002-09-07 16:17 UTC (permalink / raw)
To: Anders Fugmann, Mike D; +Cc: Netfilter Mailing List
On Saturday 07 September 2002 06:39, Anders Fugmann wrote:
# Please stop spamming this list. If you want to unsubscribe, then
# go to: http://lists.netfilter.org/mailman/listinfo/netfilter/
#
# Luckily, you just entered my blacklist - Welcome!
#
# Regards
# Anders Fugmann
#
#
#
#
I also blacklisted him while mumbling something about there being an
oversupply of morons in the world.
--
Robin Lynn Frank
Paradigm-Omega, LLC
==================================
The only certainty about documentation is that
whoever wrote it "might" have understood it.
The rest of us may not be so lucky.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-09-07 16:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-07 9:39 Iptables rules Didier Hung Wan Luk
2002-09-07 10:36 ` Antony Stone
2002-09-07 12:15 ` REMOVE FROM LIST. THIS IS SPAM Mike D
2002-09-07 13:39 ` Anders Fugmann
2002-09-07 16:17 ` Robin Lynn Frank
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.