From: jwlargent <jwlargent@vlsmaps.com>
To: netfilter@lists.netfilter.org
Subject: Re: Dropping Connections
Date: Fri, 22 Dec 2006 11:54:50 -0600 [thread overview]
Message-ID: <458C1BEA.7070002@vlsmaps.com> (raw)
In-Reply-To: <503576.13829.qm@web56206.mail.re3.yahoo.com>
Elvir Kuric wrote:
> Hi Tolga,
>
> iptables working in way that it first check first
> rules that are writen in your firewall script.
> So you first have to allow everything you want and
> after that to stop traffic you do not wanted.
>
> If you have rules , A, B , C , D written in script in
> this order
> A
> B
> C
> D
> iptables will check rule A first and so on. If rule A
> drop some traffic it will be droped even if you allow
> it again in rule B, or some other rule after A.
> for example
> iptables -A INPUT -p tcp -m state --state
> NEW,RELATED,ESTABLISHED -j DROP
>
> iptables -A INPUT -p tcp -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
>
> the first rule will be just checked and you will not
> be able to accept new connections in INPUT chain (
> first rule ) even you allow it in seccond one.
>
>
> To drop everything you can use for example
> iptables -A INPUT -s 0/0 -p tcp --syn -j DROP
> iptables -A INPUT -s 0/0 -p udp -j DROP
>
> but apply these rules after all your rules that allow
> necessary traffic.
> I recommend you to read ( in my opinion the best
> manual I ever read )
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
>
> So conclusion will be,iptables looks first rules
> first.
> See of course man iptables.
>
> Regards
>
> Elvir Kuric
>
>
> To drop everything you can use for example
> iptables -A INPUT -s 0/0 -p tcp --syn -j DROP
> iptables -A INPUT -s 0/0 -p udp -j DROP
>
>
Why no just:
iptables -A INPUT -j DROP
> but apply these rules after all your rules that allow
> necessary traffic.
> I recommend you to read ( in my opinion the best
> manual I ever read )
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
>
> So conclusion will be,iptables looks first rules
> first.
> See of course man iptables.
>
> Regards
>
> Elvir Kuric
>
>
> --- Tolga Onbay <tolgaonbay@yahoo.com> wrote:
>
>
>> Hi,
>>
>> I want to drop all connections from/to subnet if I
>> don't allow. For example, accept msnmessenger
>> protocol with l7-filter and forward all 80
>> connections to content filtering software. Then I
>> want to drop all connections. I write the rules and
>> add the default action type to Drop. But now the
>> clients cannot connect to msnmessenger. (I write the
>> msnmessenger rule to FORWARD chain)
>>
>> Also, noone answer my previous mail, If I asked to
>> wrong group or something wrong with the subject
>> please remind me.
>>
>> Thanks
>>
>>
>> Tolga
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam
>> protection around
>> http://mail.yahoo.com
>>
>>
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
next prev parent reply other threads:[~2006-12-22 17:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-22 8:30 Dropping Connections Tolga Onbay
2006-12-22 14:46 ` Elvir Kuric
2006-12-22 17:54 ` jwlargent [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-12-25 4:27 Dropping connections Ben Prince
2004-01-02 12:57 ` Antony Stone
2004-01-02 13:24 ` Andy Loukes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=458C1BEA.7070002@vlsmaps.com \
--to=jwlargent@vlsmaps.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox