IPTables has a "drop all anywhere" and "accept all anywhere"
As stated in the subject, I was looking through the INPUT chain rules and saw that there is a DROP all anywhere as well as an ACCEPT all anywhere.
I don't know that much about iptables, but are these rules working against each other? Should I delete both of them? Or maybe I am interpreting this incorrectly? Any explanation would be nice before I start messing around with iptables. Thanks a lot, Brian |
iptables are a bit more complicated than just that. They can also filter by interface and I have an INPUT rule that ACCEPTs all anywhere from the local interface and then DROPs all anywhere after ACCEPTing specific ports, knowing that all are from the outside facing interface. Messing with those rules does require being familiar with just how a packet flows through the process. I wouldn't suggest deleting them without that knowledge.
|
Quote:
|
Try this one:
http://iptables-tutorial.frozentux.n...-tutorial.html |
Quote:
Quote:
If it doesn't match, it is unprocessed by the first rule and then moves down to the next rule. When (if) it falls all the way through the set of rules for a chain, there is another, implied, rule for the chain; the 'policy' for the chain, or, to be more explicit, 'a rule to deal with any packet that falls all the way through'. Having a policy of 'drop' is usually considered to be more sensible from a security point of view than 'accept'. This process is described in a lot more detail in the frozentux tutorial (which is hardly light bedtime reading, except for serious insomniacs, but is an excellent manual). If, instead, you wanted a worked example, have a look at linuxhomenetworking. Their example is almost identical to the relevant chapter and appendix from Harrison's Linux Quick Fix Notebook - also excellent, but a bit more tutorial-ish, (where the supposed tutorial at frozen tux is more manual-ish). Quote:
For most purposes, Yast does a perfectly good job of writing a ruleset (I'm not trying to put you off learning - anything but), so you are probably not in the position of having to do this to 'cure' a 'broken' ruleset. But looking through the ruleset that it generates, and maybe even modifying what you tell yast and looking at the changes that it makes to the ruleset is all to the good as an easy learning stage. |
All times are GMT -5. The time now is 01:24 PM. |