* Learning iptables
@ 2009-04-18 12:32 Leonardo Carneiro
2009-04-18 12:48 ` Brian Austin - Standard Universal
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Leonardo Carneiro @ 2009-04-18 12:32 UTC (permalink / raw)
To: netfilter
Hi everyone,
I'm have a avarage-to-good linux knowlegde, but i'm quite noob when it
comes about iptables, so i decided to study about.
I'm reading a lot of articles and blogs, and testing some rules, so far
it's all going well.
Right now i'm running a server with tons of rules written by the admin
that worked here before me, and in the policies session of the script
i've found theses rules:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -A INPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -s $INET_IP_DIN -j ACCEPT
$IPTABLES -A OUTPUT -d $INET_IP_DIN -j ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
Is there any good reason why someone would set an ACCEPT policy for all
chains first to withdraw some later? What the benefit of doing this?
Sorry about my poor english.
Tks in advance
--
*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5600/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Learning iptables
2009-04-18 12:32 Learning iptables Leonardo Carneiro
@ 2009-04-18 12:48 ` Brian Austin - Standard Universal
2009-04-18 12:59 ` Thomas Jacob
2009-04-18 15:55 ` Bruno Moreira Guedes
2 siblings, 0 replies; 6+ messages in thread
From: Brian Austin - Standard Universal @ 2009-04-18 12:48 UTC (permalink / raw)
To: Leonardo Carneiro; +Cc: netfilter
Hi,
the only reason I would think is to allow packets through for the
milliseconds it takes the script to run.
regards
Brian
Leonardo Carneiro wrote:
> Hi everyone,
>
> I'm have a avarage-to-good linux knowlegde, but i'm quite noob when it
> comes about iptables, so i decided to study about.
> I'm reading a lot of articles and blogs, and testing some rules, so
> far it's all going well.
> Right now i'm running a server with tons of rules written by the admin
> that worked here before me, and in the policies session of the script
> i've found theses rules:
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
> $IPTABLES -X
>
> $IPTABLES -A INPUT -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -d $LO_IP -j ACCEPT
> $IPTABLES -A INPUT -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -d $LAN_IP -j ACCEPT
> $IPTABLES -A INPUT -s $INET_IP_DIN -j ACCEPT
> $IPTABLES -A OUTPUT -d $INET_IP_DIN -j ACCEPT
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
>
> Is there any good reason why someone would set an ACCEPT policy for
> all chains first to withdraw some later? What the benefit of doing this?
>
> Sorry about my poor english.
>
> Tks in advance
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Learning iptables
2009-04-18 12:32 Learning iptables Leonardo Carneiro
2009-04-18 12:48 ` Brian Austin - Standard Universal
@ 2009-04-18 12:59 ` Thomas Jacob
2009-04-18 13:20 ` Leonardo Carneiro
2009-04-18 15:55 ` Bruno Moreira Guedes
2 siblings, 1 reply; 6+ messages in thread
From: Thomas Jacob @ 2009-04-18 12:59 UTC (permalink / raw)
To: Leonardo Carneiro; +Cc: netfilter
On Sat, Apr 18, 2009 at 09:32:58AM -0300, Leonardo Carneiro wrote:
> Is there any good reason why someone would set an ACCEPT policy for all
> chains first to withdraw some later? What the benefit of doing this?
If I'd have to guess at the ruleset authors intentions, I'd say
s/he wanted to prevent service disruptions when reloading the
firewall scripts.
Loading a lot of rules without iptables-restore can take quite some time,
and if you have a DROP policy during the rule loading time,
some packets that your final ruleset would pass thru will be dropped.
Also, if your scripts terminate prematurely, you might not be able
to remote access your machine anymore.
But then again, you should load your ruleset before you bring up
your network, so the first reason should be irrelevant. And the
second shouldn't really matter after the initial testing phase.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Learning iptables
2009-04-18 12:59 ` Thomas Jacob
@ 2009-04-18 13:20 ` Leonardo Carneiro
2009-04-18 23:34 ` Amos Jeffries
0 siblings, 1 reply; 6+ messages in thread
From: Leonardo Carneiro @ 2009-04-18 13:20 UTC (permalink / raw)
To: netfilter
Tks Thomas and Brian. It was very helpful.
Now i'll follow with my jorney _o/
tks again! =)
Thomas Jacob escreveu:
> On Sat, Apr 18, 2009 at 09:32:58AM -0300, Leonardo Carneiro wrote:
>
>> Is there any good reason why someone would set an ACCEPT policy for all
>> chains first to withdraw some later? What the benefit of doing this?
>>
>
> If I'd have to guess at the ruleset authors intentions, I'd say
> s/he wanted to prevent service disruptions when reloading the
> firewall scripts.
>
> Loading a lot of rules without iptables-restore can take quite some time,
> and if you have a DROP policy during the rule loading time,
> some packets that your final ruleset would pass thru will be dropped.
> Also, if your scripts terminate prematurely, you might not be able
> to remote access your machine anymore.
>
> But then again, you should load your ruleset before you bring up
> your network, so the first reason should be irrelevant. And the
> second shouldn't really matter after the initial testing phase.
>
>
--
*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5600/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Learning iptables
2009-04-18 12:32 Learning iptables Leonardo Carneiro
2009-04-18 12:48 ` Brian Austin - Standard Universal
2009-04-18 12:59 ` Thomas Jacob
@ 2009-04-18 15:55 ` Bruno Moreira Guedes
2 siblings, 0 replies; 6+ messages in thread
From: Bruno Moreira Guedes @ 2009-04-18 15:55 UTC (permalink / raw)
To: netfilter
2009/4/18 Leonardo Carneiro <lscarneiro@veltrac.com.br>:
> Hi everyone,
>
> I'm have a avarage-to-good linux knowlegde, but i'm quite noob when it comes
> about iptables, so i decided to study about.
> I'm reading a lot of articles and blogs, and testing some rules, so far it's
> all going well.
> Right now i'm running a server with tons of rules written by the admin that
> worked here before me, and in the policies session of the script i've found
> theses rules:
>
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
> $IPTABLES -X
>
> $IPTABLES -A INPUT -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -d $LO_IP -j ACCEPT
> $IPTABLES -A INPUT -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -d $LAN_IP -j ACCEPT
> $IPTABLES -A INPUT -s $INET_IP_DIN -j ACCEPT
> $IPTABLES -A OUTPUT -d $INET_IP_DIN -j ACCEPT
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
The main thing I couldn't understand is why add just three ACCEPT
rules on a chain, and after set this chains default policy to ACCEPT.
And also, why set OUTPUT to ACCEPT twice!! Is the iptables deaf??
>
> Is there any good reason why someone would set an ACCEPT policy for all
> chains first to withdraw some later? What the benefit of doing this?
>
> Sorry about my poor english.
>
> Tks in advance
> --
>
> *Leonardo de Souza Carneiro*
> *Veltrac - Tecnologia em Logística.*
> lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
> http://www.veltrac.com.br <http://www.veltrac.com.br/>
> /Fone Com.: (43)2105-5600/
> /Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
> /Londrina- PR/
> /Cep: 86015-010/
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Anymore, be careful when trusting in the old admins script, get
ensured your firewall is safe by reviewing it.
[]'s
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Learning iptables
2009-04-18 13:20 ` Leonardo Carneiro
@ 2009-04-18 23:34 ` Amos Jeffries
0 siblings, 0 replies; 6+ messages in thread
From: Amos Jeffries @ 2009-04-18 23:34 UTC (permalink / raw)
To: Leonardo Carneiro; +Cc: netfilter
Leonardo Carneiro wrote:
> Tks Thomas and Brian. It was very helpful.
> Now i'll follow with my jorney _o/
>
> tks again! =)
People rarely mention this but I've found it extremely helpful for
groking some of the tutorials:
http://l7-filter.sourceforge.net/PacketFlow.png
AYJ
>
> Thomas Jacob escreveu:
>> On Sat, Apr 18, 2009 at 09:32:58AM -0300, Leonardo Carneiro wrote:
>>
>>> Is there any good reason why someone would set an ACCEPT policy for
>>> all chains first to withdraw some later? What the benefit of doing
>>> this?
>>>
>>
>> If I'd have to guess at the ruleset authors intentions, I'd say
>> s/he wanted to prevent service disruptions when reloading the
>> firewall scripts.
>>
>> Loading a lot of rules without iptables-restore can take quite some time,
>> and if you have a DROP policy during the rule loading time,
>> some packets that your final ruleset would pass thru will be dropped.
>> Also, if your scripts terminate prematurely, you might not be able
>> to remote access your machine anymore.
>>
>> But then again, you should load your ruleset before you bring up
>> your network, so the first reason should be irrelevant. And the
>> second shouldn't really matter after the initial testing phase.
>>
>>
>
>
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
Current Beta Squid 3.1.0.7
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-04-18 23:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-04-18 12:32 Learning iptables Leonardo Carneiro
2009-04-18 12:48 ` Brian Austin - Standard Universal
2009-04-18 12:59 ` Thomas Jacob
2009-04-18 13:20 ` Leonardo Carneiro
2009-04-18 23:34 ` Amos Jeffries
2009-04-18 15:55 ` Bruno Moreira Guedes
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.