From: Ralf Spenneberg <lists@spenneberg.org>
To: Rob Verduijn <rverduij@dds.nl>
Cc: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: logging and pinging localhost
Date: 08 Aug 2003 08:25:22 +0200 [thread overview]
Message-ID: <1060323922.1880.3.camel@kermit> (raw)
In-Reply-To: <1060278704.3499.8.camel@vimes.localdomain>
Am Don, 2003-08-07 um 19.51 schrieb Rob Verduijn:
> the default policy that I set is drop
> $IPTABLES -t filter -P INPUT DROP
> $IPTABLES -t filter -P OUTPUT DROP
> $IPTABLES -t filter -P FORWARD DROP
> $IPTABLES -t nat -P PREROUTING DROP
> $IPTABLES -t nat -P POSTROUTING DROP
> $IPTABLES -t nat -P OUTPUT DROP
> $IPTABLES -t mangle -P PREROUTING DROP
> $IPTABLES -t mangle -P POSTROUTING DROP
> $IPTABLES -t mangle -P INPUT DROP
> $IPTABLES -t mangle -P OUTPUT DROP
> $IPTABLES -t mangle -P FORWARD DROP
Don't do this. The mangle and the nat table are only for mangling and
natting. Please only filter in the filter table. Once you have
understood why some packets traverse the nat table and others do not you
may think about filtering in the nat table, but I would advise against
it.
The above rules are only useful if you do not want any traffic on your
machine, like a panic situation.
>
> I also read that the following allows all the localtraffic
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> but why can't I ping localhost?????
Because those packets still pass the nat and the mangle table. You drop
everything there.
Remove the DROP rules in the nat and mangle table.
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
prev parent reply other threads:[~2003-08-08 6:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-07 17:51 logging and pinging localhost Rob Verduijn
2003-08-08 6:25 ` Ralf Spenneberg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1060323922.1880.3.camel@kermit \
--to=lists@spenneberg.org \
--cc=netfilter@lists.netfilter.org \
--cc=rverduij@dds.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox