* Need some clarity
@ 2003-05-27 18:45 Michael Carroll
2003-05-30 21:36 ` Alistair Tonner
0 siblings, 1 reply; 2+ messages in thread
From: Michael Carroll @ 2003-05-27 18:45 UTC (permalink / raw)
To: netfilter
Hello netfilter development crew,
I have a couple, probably straight foreward questions, but I don't know
the answers to and would like to just to clear things up a little bit.
# Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
*nat
:PREROUTING ACCEPT [7595:344053]
:POSTROUTING ACCEPT [80:4556]
:OUTPUT ACCEPT [63:3755]
COMMIT
That is what is generated when I first do an 'iptables-save > /dir' now
I was wondering what all the numbers inside those brackets stood for,
because when I start to add rules to them those numbers start to change.
They also add the user defined rules just before the COMMIT. Does it
matter in how you type out you iptables rules, like you should DROP
everything first, then start to 'open' ports up correct? Also one other
thing what does the COMMIT mean?
Thank you in advance.
Michael Carroll
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Need some clarity
2003-05-27 18:45 Need some clarity Michael Carroll
@ 2003-05-30 21:36 ` Alistair Tonner
0 siblings, 0 replies; 2+ messages in thread
From: Alistair Tonner @ 2003-05-30 21:36 UTC (permalink / raw)
To: Michael Carroll, netfilter
The numbers in [...] are packet counts (iptables -L -n -v )
Order of rules is important --- packets pass through until they hit match,
then are handled by that match.
Don't try to hand edit the iptables-save file .. create a script to load your
rules using the iptables command (Oskar Andreasson's iptables Tutorial has
several excellent starter scripts)
By default the best way to build a firewall is to set a policy of DROP on all
chains and allow only what you need.
The COMMIT ... think like a database.... *grin* that's what actually applies
the rules.
On May 27, 2003 02:45 pm, Michael Carroll wrote:
> Hello netfilter development crew,
>
> I have a couple, probably straight foreward questions, but I don't know
> the answers to and would like to just to clear things up a little bit.
>
> # Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
> *nat
>
> :PREROUTING ACCEPT [7595:344053]
> :POSTROUTING ACCEPT [80:4556]
> :OUTPUT ACCEPT [63:3755]
>
> COMMIT
>
> That is what is generated when I first do an 'iptables-save > /dir' now
> I was wondering what all the numbers inside those brackets stood for,
> because when I start to add rules to them those numbers start to change.
> They also add the user defined rules just before the COMMIT. Does it
> matter in how you type out you iptables rules, like you should DROP
> everything first, then start to 'open' ports up correct? Also one other
> thing what does the COMMIT mean?
>
> Thank you in advance.
>
> Michael Carroll
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-05-30 21:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-27 18:45 Need some clarity Michael Carroll
2003-05-30 21:36 ` Alistair Tonner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox