Simple question

Simple question

[Oriol Magrané]

[-- Attachment #1: Type: text/plain, Size: 341 bytes --]


    Hello!
    Just one question...
    I have a firewall with the INPUT, OUTPUT and FORWARD policies set to DROP, and now I want to allow connections from localhost to localhost (any port). Which chains are implied here? INPUT? OUTPUT? Both?
    How should the needed rule(s) be?

    Thank you very much in advance!

    Oriol


[-- Attachment #2: Type: text/html, Size: 1226 bytes --]

Re: Simple question

[Aleksandar Milivojevic]

Oriol Magrané wrote:
>  
>     Hello!
>     Just one question...
>     I have a firewall with the INPUT, OUTPUT and FORWARD policies set to 
> DROP, and now I want to allow connections from localhost to localhost 
> (any port). Which chains are implied here? INPUT? OUTPUT? Both?
>     How should the needed rule(s) be?

You'd need both INPUT and OUTPUT.  Just as if it was connection to 
remote system (just think what rules you would put on both local and 
remote system if it was remote connection, and than apply both sets of 
rules to local system, removing duplicates).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Simple question

[Antony Stone]

On Wednesday 05 May 2004 4:27 pm, Oriol Magrané wrote:

>     Hello!
>     Just one question...
>     I have a firewall with the INPUT, OUTPUT and FORWARD policies set to
> DROP, and now I want to allow connections from localhost to localhost (any
> port). Which chains are implied here? INPUT? OUTPUT? Both? How should the
> needed rule(s) be?

Yes, you need to allow the packets out through OUTPUT, in through INPUT, and 
the interfaces will both be lo.

If in doubt, just add some LOGging rules and see what happens when you try to 
send packets.

Regards,

Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used 
a third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Simple question (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2004.05.05 11:27, Oriol Magrané  - omagrane@mediapro.es  
wrote:
> 
>     Hello!
>     Just one question...
>     I have a firewall with the INPUT, OUTPUT and FORWARD
> policies set to DROP, and now I want to allow connections
> from localhost to localhost (any port). Which chains are
> implied here? INPUT? OUTPUT? Both?
>     How should the needed rule(s) be?
> 
>     Thank you very much in advance!
> 
>     Oriol
> 
>
I put these simple rules in my INPUT and OUTPUT chains.
I checked the counts, and these handle the most traffic,
so I put them first in their chains.

# accept packets originating on this machine
iptables -A INPUT -i lo -j ACCEPT

# allow packets from this machine to this machine
iptables -A INPUT -o lo -j ACCEPT

I hope that helps.

Jim

Re: Simple question

[Martijn Lievaart]

Oriol Magrané wrote:

>
>     Hello!
>     Just one question...
>     I have a firewall with the INPUT, OUTPUT and FORWARD policies set
> to DROP, and now I want to allow connections from localhost to
> localhost (any port). Which chains are implied here? INPUT? OUTPUT? Both?
>     How should the needed rule(s) be?
>


This should do it:
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

HTH,
M4

Re: Simple question

[Antony Stone]

On Wednesday 05 May 2004 6:43 pm, Martijn Lievaart wrote:

> Oriol Magrané wrote:
> >     Hello!
> >     Just one question...
> >     I have a firewall with the INPUT, OUTPUT and FORWARD policies set
> > to DROP, and now I want to allow connections from localhost to
> > localhost (any port). Which chains are implied here? INPUT? OUTPUT? Both?
> >     How should the needed rule(s) be?
>
> This should do it:
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -i lo -j ACCEPT

Actually, I would suggest instead:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

:)

Antony.

-- 
"When you talk about Linux versus Windows, you're talking about which 
operating system is the best value for money and fit for purpose. That's a 
very basic decision customers can make if they have the information available 
to them. Quite frankly if we lose to Linux because our customers say it's 
better value for money, tough luck for us."

 - Steve Vamos, MD of Microsoft Australia

                                                     Please reply to the list;
                                                           please don't CC me.

simple question

[Askar]

hi list

        If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e 

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Regards

Askar
-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: simple question

[Mohamed Eldesoky]

Yes or No, depends on your rules !!

On 4/27/05, Askar <askarali@gmail.com> wrote:
> hi list
> 
>         If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Regards
> 
> Askar
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: simple question

[Askar]

you mean if I have rules like

iptables -P FORWARD ACCEPT

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT 

Then putting ESTABLISHED,RELATED thing will helps?
however why should I put ACCEPT rules in FORWARD when the default
policy for it is already to accept everything.

thanks and regards

Askar
On 4/27/05, Mohamed Eldesoky <eldesoky.lists@gmail.com> wrote:
> Yes or No, depends on your rules !!
> 
> On 4/27/05, Askar <askarali@gmail.com> wrote:
> > hi list
> >
> >         If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e
> >
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > Regards
> >
> > Askar
> > --
> > I love deadlines. I like the whooshing sound they make as they fly by.
> > Douglas Adams
> >
> >
> 
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: simple question

[Cedric Blancher]

Le mercredi 27 avril 2005 à 16:58 +0600, Askar a écrit :
> you mean if I have rules like
> iptables -P FORWARD ACCEPT

If you have this, then any ACCEPT rule will be useless. As simple as
this.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: simple question

[Cedric Blancher]

Le mercredi 27 avril 2005 à 13:04 +0200, Cedric Blancher a écrit :
> If you have this, then any ACCEPT rule will be useless. As simple as
> this.

Well, not quite.
It is, except if you want to rely on DROP/ACCEPT combinations to make
exclusions and related stuff.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: simple question

[Jason Opperisano]

On Wed, Apr 27, 2005 at 04:35:15PM +0600, Askar wrote:
> hi list
> 
>         If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e 
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

two thoughts:

1) if your last rule in the FORWARD chain is:

     iptables -A FORWARD -j DROP

   then your FORWARD chain POLICY will never be enforced, as all packets
   will be matched and dropped by the last rule.  the only reason i
   bring this up is that i keep seeing rule sets that do this:  POLICY
   set to ACCEPT and last rule set to DROP.

2) performance.  the *vast* majority of packets will match the "-m state
   --state ESTABLISHED,RELATED" rule.  putting it first in your built-in
   chains means that the vast majority of your packets will only have
   to traverse one rule before moving on.  relying on the chain POLICY
   to match these packets means these packets have to traverse *every*
   rule before moving on.  for large rule sets, this is just poor design.

final thought:  setting the default policy of your firewall to ACCEPT
isn't very good "firewalling," IMHO--but that's really more of
philosophical debate than a technical one.  no matter how permissive the
rules end up being, I always start with a default deny, and then allow
specific traffic.

-j

--
"Peter: You know, I oughta just give you some beer. Goes straight
 through you. 
 Stewie: Wonderful. And while we're at it, we can light up a doobie and
 watch porn. 
 Peter: Eh... yeah?"
        --Family Guy

simple question

[Filka Michal]

Hi,

Can anyone tell me what exactly means an update event. Of course, I have
an idea, but I need to confirm it.

So, does it mean that "state" attribute changed (E.g. connection state,
counter, ... ), or is it related to a "configuration" attribute?

Thanks,

Michal Filka

RE: simple question

[Filka Michal]

I would like to somehow use conntrack's events for very simple
synchronization of two connection tracking tables. So, I need to know
what should be a reason for particular events. As far as I know there
are NEW, UPDATE and DESTROY events available. In case of UPDATE event
I'm not sure when it occurs ... So, when is UPDATE event issued?

Thanks,
Michal Filka


> 
> I'm assuming that "update" originates from the idea of a database
> trigger. A trigger is an action performed after another action occurs.
> For example, when entering a new record, you could call a procedure to
> error check the formatting of the entry. Another example might be to
> add a record to a log table which logs the activity which occurs after
> a record is updated.
> 
> I'd imagine that what you are talking about (update) is an event
> similar to a trigger. This means that the answer would depend on what
> the trigger is set for. Maybe it is when state is updated, or maybe it
> is when the configuration is updated. Maybe both.
> 
> I have no idea to what you are referring or asking about, so beyond
> what I have detailed above, I cannot give you an aswer.
> 
> Sorry.
> 
> On 5/22/07, Filka Michal <Michal.Filka@sitronicsts.com> wrote:
> > Hi,
> >
> > Can anyone tell me what exactly means an update event. Of course, I
have
> > an idea, but I need to confirm it.
> >
> > So, does it mean that "state" attribute changed (E.g. connection
state,
> > counter, ... ), or is it related to a "configuration" attribute?
> >
> > Thanks,
> >
> > Michal Filka
> >
> >
> >
> 
> 
> 
> --
> I thought about building you a boat to survive the river of tears I'm
> crying for you, but the world's smallest violins just aren't a
> reliable source of lumber, and that cross you're nailing yourself to
> seems buoyant enough anyways - Dr Gregory House, M.D.