* Iptables ACCEPT and DROP
@ 2004-04-16 17:43 Ravi Verma
2004-04-17 10:37 ` IT Clown
0 siblings, 1 reply; 4+ messages in thread
From: Ravi Verma @ 2004-04-16 17:43 UTC (permalink / raw)
To: netfilter
Dear Friends:
I have observe a behavior of iptables which I need to understand.
216.155.193.168 is the IP address of Yahoo's messenger site and it
listens on port 5050.
The following command will allows the machine to connect to
216.155.193.168.
iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
ACCEPT
After that, I see output like following:
#telnet 216.155.193.168 5050
Trying 216.155.193.168...
Connected to 216.155.193.168.
Escape character is '^]'.
Now when I issue
iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
DROP
And
iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
REJECT
Still, it allows connection to 216.155.193.168 on port 5050.
How does this work? It seems -j DROP is not opposite of -j ACCEPT. How
can stop this?
Kind regards.
Ravi Verma
^ permalink raw reply [flat|nested] 4+ messages in thread
* Iptables ACCEPT and DROP
@ 2004-04-16 17:56 Ravi Verma
2004-04-16 18:08 ` Antony Stone
0 siblings, 1 reply; 4+ messages in thread
From: Ravi Verma @ 2004-04-16 17:56 UTC (permalink / raw)
To: netfilter
Dear Friends:
I have observe a behavior of iptables which I need to understand.
216.155.193.168 is the IP address of Yahoo's messenger site and it
listens on port 5050.
The following command will allows the machine to connect to
216.155.193.168.
iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
ACCEPT
After that, I see output like following:
#telnet 216.155.193.168 5050
Trying 216.155.193.168...
Connected to 216.155.193.168.
Escape character is '^]'.
Now when I issue
iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
DROP And iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport
5050 -j REJECT
Still, it allows connection to 216.155.193.168 on port 5050.
How does this work? It seems -j DROP is not opposite of -j ACCEPT. How
can stop this?
Kind regards.
Ravi Verma
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Iptables ACCEPT and DROP
2004-04-16 17:56 Ravi Verma
@ 2004-04-16 18:08 ` Antony Stone
0 siblings, 0 replies; 4+ messages in thread
From: Antony Stone @ 2004-04-16 18:08 UTC (permalink / raw)
To: netfilter
On Friday 16 April 2004 6:56 pm, Ravi Verma wrote:
> The following command will allows the machine to connect to
> 216.155.193.168.
>
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
> ACCEPT
>
> Now when I issue
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport 5050 -j
> DROP
>
> And
>
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168 --dport
> 5050 -j REJECT
>
> Still, it allows connection to 216.155.193.168 on port 5050.
>
> How does this work? It seems -j DROP is not opposite of -j ACCEPT. How
> can stop this?
"-A" means append - in other words, "add on to the end of my ruleset".
You have not said that you have flushed the OUTPUT chain (with "iptables -F
OUTPUT") between adding the ACCEPT rule and applying more rules after it, so
I think you still have the ACCEPT rule in your chain, and that is the first
one the packets see.
Try "iptables -L OUTPUT -nvx" and see what rules you have, and in what order.
Regards,
Antony.
--
"Black holes are where God divided by zero."
- Steven Wright
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Iptables ACCEPT and DROP
2004-04-16 17:43 Iptables ACCEPT and DROP Ravi Verma
@ 2004-04-17 10:37 ` IT Clown
0 siblings, 0 replies; 4+ messages in thread
From: IT Clown @ 2004-04-17 10:37 UTC (permalink / raw)
To: netfilter
will the following help:
iptables -A INPUT -i eth0 -p tcp -s 216.155.193.168 --sport
5050 -j DROP
iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168
--dport 5050 -j DROP
service iptables stop
/etc/init.d/iptables stop
iptables -F
service iptables start
/etc/init.d/iptables start
or am i missing it completely?
Regards
On Fri, 16 Apr 2004 10:43:07 -0700
"Ravi Verma" <ravi.verma@telecommand.com> wrote:
> Dear Friends:
>
> I have observe a behavior of iptables which I need to
> understand.
>
> 216.155.193.168 is the IP address of Yahoo's messenger
> site and it
> listens on port 5050.
>
> The following command will allows the machine to connect
> to
> 216.155.193.168.
>
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168
> --dport 5050 -j
> ACCEPT
>
> After that, I see output like following:
>
> #telnet 216.155.193.168 5050
> Trying 216.155.193.168...
> Connected to 216.155.193.168.
> Escape character is '^]'.
>
> Now when I issue
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168
> --dport 5050 -j
> DROP
> And
> iptables -A OUTPUT -o eth0 -p tcp -d 216.155.193.168
> --dport 5050 -j
> REJECT
>
> Still, it allows connection to 216.155.193.168 on port
> 5050.
>
> How does this work? It seems -j DROP is not opposite of
> -j ACCEPT. How
> can stop this?
>
> Kind regards.
>
> Ravi Verma
>
>
______________________________________________________________
Herbalife Independent Distributor http://www.healthiest.co.za
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-04-17 10:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-16 17:43 Iptables ACCEPT and DROP Ravi Verma
2004-04-17 10:37 ` IT Clown
-- strict thread matches above, loose matches on Subject: below --
2004-04-16 17:56 Ravi Verma
2004-04-16 18:08 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.