Quote:
Originally Posted by Zero187
I don't know that much about iptables, but - are these rules working against each other?
- Should I delete both of them?
- Or maybe I am interpreting this incorrectly?
|
In order:
- No (very probably)
- No (certainly)
- Yes (as far as I can tell)
Quote:
Any explanation would be nice before I start messing around with iptables.
|
OK, here we go (roughly): Rules are executed, one by one, in order So as a packet comes along, it meets the first rule, is tested against whatever test is implied by that rule and, if it matches, is sent off to be processed, as implied by the rule.
If it doesn't match, it is unprocessed by the first rule and then moves down to the next rule.
When (if) it falls all the way through the set of rules for a chain, there is another, implied, rule for the chain; the 'policy' for the chain, or, to be more explicit, 'a rule to deal with any packet that falls all the way through'. Having a policy of 'drop' is usually considered to be more sensible from a security point of view than 'accept'.
This process is described in a lot more detail in the frozentux tutorial (which is hardly light bedtime reading, except for serious insomniacs, but is an excellent manual). If, instead, you wanted a worked example, have a look at linuxhomenetworking. Their example is almost identical to the relevant chapter and appendix from Harrison's Linux Quick Fix Notebook - also excellent, but a bit more tutorial-ish, (where the supposed tutorial at frozen tux is more manual-ish).
Quote:
I'm getting good with the SuSE firewall2
|
A bit of advice; either use the SuSE firewall, or don't (or be prepared to struggle slightly). One of the troubles with 'going behind yast's back' to set up a set of firewall rules manually, is that yast has a habit of overwriting what you are doing, unless you are careful. You
can get round this (either tell yast not to do anything with the firewall and do it all yourself, or let yast do what it does on boot and then modify the ruleset afterwards), but it does add a little complexity to the process.
For most purposes, Yast does a perfectly good job of writing a ruleset (I'm not trying to put you off learning - anything but), so you are probably not in the position of having to do this to 'cure' a 'broken' ruleset. But looking through the ruleset that it generates, and maybe even modifying what you tell yast and looking at the changes that it makes to the ruleset is all to the good as an easy learning stage.