Linux Netfilter discussions
 help / color / mirror / Atom feed
* Need some clarity
@ 2003-05-27 18:45 Michael Carroll
  2003-05-30 21:36 ` Alistair Tonner
  0 siblings, 1 reply; 2+ messages in thread
From: Michael Carroll @ 2003-05-27 18:45 UTC (permalink / raw)
  To: netfilter

Hello netfilter development crew,

I have a couple, probably straight foreward questions, but I don't know 
the answers to and would like to just to clear things up a little bit.

# Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
*nat
:PREROUTING ACCEPT [7595:344053]
:POSTROUTING ACCEPT [80:4556]
:OUTPUT ACCEPT [63:3755]
COMMIT

That is what is generated when I first do an 'iptables-save > /dir' now 
I was wondering what all the numbers inside those brackets stood for, 
because when I start to add rules to them those numbers start to change. 
They also add the user defined rules just before the COMMIT.  Does it 
matter in how you type out you iptables rules, like you should DROP 
everything first, then start to 'open' ports up correct?  Also one other 
thing what does the COMMIT mean?

Thank you in advance.

Michael Carroll




^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Need some clarity
  2003-05-27 18:45 Need some clarity Michael Carroll
@ 2003-05-30 21:36 ` Alistair Tonner
  0 siblings, 0 replies; 2+ messages in thread
From: Alistair Tonner @ 2003-05-30 21:36 UTC (permalink / raw)
  To: Michael Carroll, netfilter

	
	The numbers in [...] are packet counts (iptables -L -n -v )
	Order of rules is important --- packets pass through until they hit match,
	then are handled by that match.  
	Don't try to hand edit the iptables-save file .. create a script to load your
	rules using the iptables command (Oskar Andreasson's iptables Tutorial has 
	several excellent starter scripts)

	By default the best way to build a firewall is to set a policy of DROP on all 
	chains and allow only what you need.
	
	The COMMIT ... think like a database.... *grin* that's what actually applies
	the rules.



On May 27, 2003 02:45 pm, Michael Carroll wrote:
> Hello netfilter development crew,
>
> I have a couple, probably straight foreward questions, but I don't know
> the answers to and would like to just to clear things up a little bit.
>
> # Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
> *nat
>
> :PREROUTING ACCEPT [7595:344053]
> :POSTROUTING ACCEPT [80:4556]
> :OUTPUT ACCEPT [63:3755]
>
> COMMIT
>
> That is what is generated when I first do an 'iptables-save > /dir' now
> I was wondering what all the numbers inside those brackets stood for,
> because when I start to add rules to them those numbers start to change.
> They also add the user defined rules just before the COMMIT.  Does it
> matter in how you type out you iptables rules, like you should DROP
> everything first, then start to 'open' ports up correct?  Also one other
> thing what does the COMMIT mean?
>
> Thank you in advance.
>
> Michael Carroll

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-05-30 21:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-27 18:45 Need some clarity Michael Carroll
2003-05-30 21:36 ` Alistair Tonner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox