Iptables rules...

Iptables rules...

[Didier Hung Wan Luk]

Hi All,


I am new to firewall/iptables can someone help me to clear up some concepts about firewalling?

If my default rule for the input chain of my external interface is DROP need I again specify to DROP packets in the INPUT chain of my external interface?

i.e..

#My Default rule
iptables -P INPUT DROP

#Drop all attempts on my ext. interface trough port 6000:6063

iptables -A INPUT -i ppp0 -p tcp --dport 6000:6063 -j DROP

If I am right I think that I need not include a rule again saying to drop packets to my 6000;6063 ports since I do not have a rule saying to accept connections on these ports...

Thanks,

Didier Hung Wan Luk

Re: Iptables rules...

[Antony Stone]

On Saturday 07 September 2002 10:39 am, Didier Hung Wan Luk wrote:

> Hi All,
>
>
> I am new to firewall/iptables can someone help me to clear up some concepts
> about firewalling?
>
> If my default rule for the input chain of my external interface is DROP
> need I again specify to DROP packets in the INPUT chain of my external
> interface?

There is only one INPUT chain.   The rules and the default policy apply to 
all interfaces.

> #My Default rule
> iptables -P INPUT DROP
>
> #Drop all attempts on my ext. interface trough port 6000:6063
>
> iptables -A INPUT -i ppp0 -p tcp --dport 6000:6063 -j DROP
>
> If I am right I think that I need not include a rule again saying to drop
> packets to my 6000;6063 ports since I do not have a rule saying to accept
> connections on these ports...

If you have a default DROP policy, then you should not (normally) need to 
specify any DROP rules.   If you do not have a rule ACCEPTing certain 
packets, then they will be DROPped by default.   That is what the policy is 
for.

For example:

iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

will drop SMTP traffic on port 25, because there is no rule ACCEPTing it.

These rules will also drop POP3, IMAP, FTP, IDENT.......   everything except 
HTTP.

Antony.

-- 

90% of network problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

REMOVE FROM LIST. THIS IS SPAM

[Mike D]

----- Original Message -----
From: "Didier Hung Wan Luk" <DidierH@frci.net>
To: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
Sent: Saturday, September 07, 2002 5:39 AM
Subject: Iptables rules...


> Hi All,
>
>
> I am new to firewall/iptables can someone help me to clear up some
concepts about firewalling?
>
> If my default rule for the input chain of my external interface is DROP
need I again specify to DROP packets in the INPUT chain of my external
interface?
>
> i.e..
>
> #My Default rule
> iptables -P INPUT DROP
>
> #Drop all attempts on my ext. interface trough port 6000:6063
>
> iptables -A INPUT -i ppp0 -p tcp --dport 6000:6063 -j DROP
>
> If I am right I think that I need not include a rule again saying to drop
packets to my 6000;6063 ports since I do not have a rule saying to accept
connections on these ports...
>
> Thanks,
>
> Didier Hung Wan Luk
>
>
>

Re: REMOVE FROM LIST. THIS IS SPAM

[Anders Fugmann]

Please top spamming this list. If you want to unsubscribe, then
go to: http://lists.netfilter.org/mailman/listinfo/netfilter/

Luckily, you just entered my blacklist - Welcome!

Regards
Anders Fugmann

Re: REMOVE FROM LIST. THIS IS SPAM

[Robin Lynn Frank]

On Saturday 07 September 2002 06:39, Anders Fugmann wrote:
# Please stop spamming this list. If you want to unsubscribe, then
# go to: http://lists.netfilter.org/mailman/listinfo/netfilter/
#
# Luckily, you just entered my blacklist - Welcome!
#
# Regards
# Anders Fugmann
#
#
#
#
I also blacklisted him while mumbling something about there being an 
oversupply of morons in the world.
-- 
Robin Lynn Frank
Paradigm-Omega, LLC
==================================
The only certainty about documentation is that
whoever wrote it "might" have understood it.
The rest of us may not be so lucky.