clearing basics: semi-OT

clearing basics: semi-OT

[Payal Rathod]

Hi,
I am trying to clear some of my basics. I am reading IP-Masquerading HOWTO. 
In it these things were mentioned,

UNIVERSE="0.0.0.0/0"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

What exactly does 0.0.0.0/0 mean? And why should we be concerned with
it? And what is the use of rule given after it?

INTNET="192.168.1.0/24"
INTIP="192.168.1.1/24"

The first one means the entire network of 192.168.1.x? What exactly is
the second one. Does it just means 192.168.1.1 then why "/24"?
And lastly,

$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j DROP

Why was this rule made? And why was it "dropped"? What is the logic
behind this? Shouldn't it be,
$IPTABLES -P drop-and-log-it DROP


Thanks a lot for the patience and bye.
With warm regards,
-Payal

p.s please make a cc to me too.

-- 
"Visit GNU/Linux Success Stories"
www.geocities.com/rpayal99
Guest-Book Section Updated.

RE: clearing basics: semi-OT

[dhiraj.2.bhuyan]

Answers inline -

> Hi,
> I am trying to clear some of my basics. I am reading IP-Masquerading
HOWTO. 
> In it these things were mentioned,

> UNIVERSE="0.0.0.0/0"
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

> What exactly does 0.0.0.0/0 mean? And why should we be concerned with

sending 0.0.0.0 is a standard way of asking for a dhcp address. 


> it? And what is the use of rule given after it?

read iptables manpage (-i interface -s source -d destination)

> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"

> The first one means the entire network of 192.168.1.x? What exactly is
> the second one. Does it just means 192.168.1.1 then why "/24"?

192.168.1.0/24 is the subnet (/24 is the subnet mast - can also be
represented by 255.255.255.0)
similarly the 192.168.1.1/24

> And lastly,

> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j DROP

-N adds a new chain
-A appends a rule

> Why was this rule made? And why was it "dropped"? What is the logic
> behind this? Shouldn't it be,
> $IPTABLES -P drop-and-log-it DROP

Can't see any logic unless you show how this chain is hooked to the default
chains.


> Thanks a lot for the patience and bye.
> With warm regards,
> -Payal

> p.s please make a cc to me too.


dhiraj

Re: clearing basics: semi-OT

[Joel Newkirk]

On Thu, 2003-04-10 at 04:06, Payal Rathod wrote:
> Hi,
> I am trying to clear some of my basics. I am reading IP-Masquerading HOWTO. 
> In it these things were mentioned,
> 
> UNIVERSE="0.0.0.0/0"
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> 
> What exactly does 0.0.0.0/0 mean? And why should we be concerned with
> it? And what is the use of rule given after it?

The important part here is the /0, which means that NO bits of the
preceding IP are significant.  That means this will match any address. 
The second rule deals with the lo interface, local loopback.  This rule
lets the box talk to itself as much as it wants with any IP.  (although
actually 127.0.0.1 is the standard, and 127.0.0.0/8 is the valid range)

> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"
> 
> The first one means the entire network of 192.168.1.x? What exactly is
> the second one. Does it just means 192.168.1.1 then why "/24"?

First one - yep.  Second one means precisely the same thing.  It should
probably be 192.168.1.1/32, or with no mask at all, and is probably
intended to be used to indicate the IP of the internal (LAN-facing)
interface.

> And lastly,
> 
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j DROP
> 
> Why was this rule made? And why was it "dropped"? What is the logic
> behind this? Shouldn't it be,
> $IPTABLES -P drop-and-log-it DROP

-N makes a new chain, and the -A adds a DROP rule to it.  -P policy
isn't valid for a custom chain, only the built-in chains.  The logic
here is that you could use
$IPTABLES -I drop-and-log-it 1 -j LOG
and then everything would be logged before dropping.  More useful would
be to use a --log-prefix to identify where the DROP came from, IE if it
was INPUT, OUTPUT, FORWARD, etc, and WHY it was dropped, but that would
mean individual LOG rules for each case.  (Or, log in the originating
chain...  which defeats the concept of _LOG_ and drop...)

> 
> Thanks a lot for the patience and bye.
> With warm regards,
> -Payal
> 
> p.s please make a cc to me too.

j

Re: clearing basics: semi-OT

[Kim Jensen]

On Thursday 10 April 2003 10:06, Payal Rathod wrote:
> Hi,
> I am trying to clear some of my basics. I am reading IP-Masquerading HOWTO.
> In it these things were mentioned,
>
> UNIVERSE="0.0.0.0/0"
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
> What exactly does 0.0.0.0/0 mean? And why should we be concerned with
> it? And what is the use of rule given after it?
>
0.0.0.0/0 means everybody!

The rule is saying that everything from and to the localhost should be 
accepted - in general a very good thing, unless you know what you are doing!

> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"
>
> The first one means the entire network of 192.168.1.x? What exactly is
> the second one. Does it just means 192.168.1.1 then why "/24"?
> And lastly,
>
The 192.168.1.0/24 means: everything from 192.168.1.0 to 192.168.1.255. The 
/24 is part of the mask, read 
http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.txt.

> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j DROP
>
> Why was this rule made? And why was it "dropped"? What is the logic
> behind this? Shouldn't it be,
> $IPTABLES -P drop-and-log-it DROP
>
There is no default chain called drop-and-log-it, which is why you make a 
custom chain. A better version would be:
$IPTABLES -N drop-and-log-it
$IPTABLES -F drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG
$IPTABLES -A drop-and-log-it -j DROP

The first line creates a new chain (-N) with the name drop-and-log-it. The 
second line (-F) flushes the new chain in case you already have this chain 
running. The third lines appends a rule which logs everything and finally the 
fourth line drops the packets.

/Kim

Re: clearing basics: semi-OT

[Payal Rathod]

On Thu, Apr 10, 2003 at 10:21:14AM -0400, Joel Newkirk wrote:
> The important part here is the /0, which means that NO bits of the
> preceding IP are significant.  That means this will match any address. 
[...]

Got it.
Thanks a lot for all the help. I have written some firewall rules which
I will post to the list in other mail. Please have a look at them.

Regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
www.geocities.com/rpayal99
Guest-Book Section Updated.