From: Ray Leach <raymondl@knowledgefactory.co.za>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: Policy, why is it doing that
Date: Fri, 17 Oct 2003 14:24:26 +0200 [thread overview]
Message-ID: <1066393466.10567.22.camel@raylinux.internal> (raw)
In-Reply-To: <BDF3100EBB9E3A47B84F816A10D9A4E5A8E5@eai-exchange.edgeaccess.net>
[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]
On Thu, 2003-10-16 at 17:37, Britt Tabor wrote:
> Hello,
>
> I have a linux (slackware) box that I am running iptables on. I have masq. on and I have only one entry in the table. I currently have the policy for FORWARD set to ACCEPT. Here's the problem, if I set the policy to DROP it drops everything. No rules are looked at before dropping it just drops everything. Here is a list of my iptables.
>
> bash-2.05# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> bash-2.05# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> with this everything is fine but as you can tell there is no real security, because I ACCEPT all. However, if I set the policy on FORWARD to DROP everything gets dropped regardless of rule entries. Previously I used ipchains, when a packet came in it would traverse the rule entries in the FORWARD list and if it didn't match anything it would apply the policy. With iptables it seems to be doing just the opposite. When packets come in it applys the policy first.???
>
> Is this the case?
>
No, what command are you using to set the policy on the forward chain?
>
>
>
>
>
> Britt Tabor
> Edge Access, Inc.
> btabor@edgeaccess.net
> http://www.edgeaccess.net
> 813.594.6142 Voice
> 813.249.1126 Fax
>
>
>
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
prev parent reply other threads:[~2003-10-17 12:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-16 15:37 Policy, why is it doing that Britt Tabor
2003-10-17 12:24 ` Ray Leach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1066393466.10567.22.camel@raylinux.internal \
--to=raymondl@knowledgefactory.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox