Re: please advise on this rule

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Ralf Spenneberg <lists@spenneberg.org>
To: Payal Rathod <payal-iptables@staticky.com>
Cc: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: please advise on this rule
Date: 13 Aug 2003 09:26:23 +0200	[thread overview]
Message-ID: <1060759582.1711.18.camel@kermit> (raw)
In-Reply-To: <20030813182443.GA1468@linux.local>

Am Mit, 2003-08-13 um 20.24 schrieb Payal Rathod:
> Does this FORWARD chain look ok in a simple NAT network where the Linux
> box is connected to the net.
What's "ok" in your opinion?
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
> RELATED,ESTABLISHED
> REJECT     tcp  --  192.168.10.1         0.0.0.0/0          tcp dpt:80
> reject-with icmp-port-unreachable
> 
Well, it looks fine. 3 rules loaded although I am missing a little bit
of detail here. Do an iptables -vnL FORWARD.

> 
> Is source 0/0 OK? Should be be 192.168.10.0/24 ?
Source 0/0 is ok. If you want to prevent IP-Spoofing you can use
192.168.10.0/24

> Will the third rule block outgoing connection from 192.168.10.1 to any
> server at port 80?
Yes the third rule will block this traffic, but ...
Since some detail is missing I cannot determine what the first rule
does. Is this just loopback traffic (lo)?. If the first rule does not
specify an interface it will allow all traffic.
If it does specify the lo interface you are still missing a rule
allowing NEW connections, like
iptables -A FORWARD -s 192.168.10.0/24 -m state --state NEW -j ACCEPT

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

next prev parent reply	other threads:[~2003-08-13  7:26 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-08-13 18:24 please advise on this rule Payal Rathod
2003-08-13  7:26 ` Ralf Spenneberg [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-08-12 18:51 Daniel Chemko
2003-08-14  6:47 ` Payal Rathod

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1060759582.1711.18.camel@kermit \
    --to=lists@spenneberg.org \
    --cc=netfilter@lists.netfilter.org \
    --cc=payal-iptables@staticky.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox