* learning to understand iptables
@ 2021-11-03 13:23 serando
2021-11-03 15:51 ` G.W. Haywood
0 siblings, 1 reply; 5+ messages in thread
From: serando @ 2021-11-03 13:23 UTC (permalink / raw)
To: netfilter
Hello
At the moment I am reading a book about iptables. It's very hard to
understand.
My system:
An office desktop PC i5-4570.
My PC does not offer any services for the internet. It is used for
serving the web only. And I have installed a virtual machine (with a
windows guest). Samba is used to communicate with my virtual-machine
(VirtualBox).
I have no (internal) network. And the PC is behind a router.
I know, that my system does not need an iptables firewall. But I am just
interested to understand the very basics of iptables.
This is why I am reading a book about iptables. So I would be happy to
ask questions about iptables from time to time.
Is this OK for you?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: learning to understand iptables
2021-11-03 13:23 learning to understand iptables serando
@ 2021-11-03 15:51 ` G.W. Haywood
2021-11-03 18:25 ` serando
0 siblings, 1 reply; 5+ messages in thread
From: G.W. Haywood @ 2021-11-03 15:51 UTC (permalink / raw)
To: serando; +Cc: netfilter
Hi there,
On Wed, 3 Nov 2021, serando wrote:
> At the moment I am reading a book about iptables. It's very hard to
> understand.
My guess is that it is hard to understand because you do not have a
sufficient background understanding of networking in general.
> My system:
> An office desktop PC i5-4570.
> My PC does not offer any services for the internet. It is used for serving
> the web only. And I have installed a virtual machine (with a windows guest).
> Samba is used to communicate with my virtual-machine (VirtualBox).
> I have no (internal) network. And the PC is behind a router.
Your description gives me confidence that my guess is right. For
example, if your PC is behind a router then indeed you do have an
internal network; that is how the PC communicates with the router.
> I know, that my system does not need an iptables firewall.
Perhaps. Perhaps not. I am inclined to think that it can't hurt, if
it's done properly. :)
> But I am just interested to understand the very basics of iptables.
Good. :)
> This is why I am reading a book about iptables. So I would be happy to ask
> questions about iptables from time to time.
>
> Is this OK for you?
It's perfectly OK for me, but you might find that you will get more
and better responses from others if your questions are very specific.
To begin with, look at the netfilter site documentation page:
https://netfilter.org/documentation/index.html
Be aware that iptables is
(a) confusing enough in itself, partly because it can be used to refer
to a simple command-line tool or an entire packet filtering framework,
sometimes in the same breath, and
(b) gradually being replaced, currently by 'netfilter', which I find
_very_ much more confusing than ever I found iptables.
Long ago I started to learn about networking with the Net-3-HOWTO. It
will still be available online, and if I had to start again that's the
place I'd probably start. The nearest that I can see on the netfilter
documentation page is the "Networking Concepts HOWTO" but that's even
older than the Net-3-HOWTO. I'm neither an expert nor current on the
state of the documentation, others here might have better suggestions.
--
73,
Ged.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: learning to understand iptables
2021-11-03 15:51 ` G.W. Haywood
@ 2021-11-03 18:25 ` serando
2021-11-03 19:17 ` Reindl Harald
2021-11-03 23:40 ` G.W. Haywood
0 siblings, 2 replies; 5+ messages in thread
From: serando @ 2021-11-03 18:25 UTC (permalink / raw)
To: netfilter
Hello Ged and all other
Thank you very much.
Here is my first question:
The iptables configuration is as follows:
$ sudo iptables -L
Output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have read that with this configuration, my browser only accepts data
from the Internet, if it has requested the data. This means that all
packets that the browser has not requested are dropped.
Question 1:
Which programme now ensures that data acceptance of unrequested packets
is dropped with the above iptables configuration? Is it Netfilter? In
this case, does Netfilter filter out these unrequested packets?
Question 2:
If Netfilter is filtering out these packets: I assume that if we would
switch off or uninstall Netfilter, then the browser would also accept
packets from the Internet that the browser has not requested. Right?
Very interested in this. Thank you.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: learning to understand iptables
2021-11-03 18:25 ` serando
@ 2021-11-03 19:17 ` Reindl Harald
2021-11-03 23:40 ` G.W. Haywood
1 sibling, 0 replies; 5+ messages in thread
From: Reindl Harald @ 2021-11-03 19:17 UTC (permalink / raw)
To: netfilter
Am 03.11.21 um 19:25 schrieb serando:
> Hello Ged and all other
> Thank you very much.
>
> Here is my first question:
> The iptables configuration is as follows:
>
> $ sudo iptables -L
> Output:
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> I have read that with this configuration, my browser only accepts data
> from the Internet, if it has requested the data. This means that all
> packets that the browser has not requested are dropped.
>
> Question 1:
> Which programme now ensures that data acceptance of unrequested packets
> is dropped with the above iptables configuration? Is it Netfilter? In
> this case, does Netfilter filter out these unrequested packets?
this configuration does exactly *nothing* at all becasue all chains are
*empty* with a default ACCEPT policy
a mailing-list is really the wrong place when you start with that low
understanding
your browser doesn't do anything to begin with, it's the network stack
and for what you try to achieve google for "stateful packet filtering"
and "conntrack"
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: learning to understand iptables
2021-11-03 18:25 ` serando
2021-11-03 19:17 ` Reindl Harald
@ 2021-11-03 23:40 ` G.W. Haywood
1 sibling, 0 replies; 5+ messages in thread
From: G.W. Haywood @ 2021-11-03 23:40 UTC (permalink / raw)
To: serando; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 890 bytes --]
Hi there,
On Wed, 3 Nov 2021, serando wrote:
> ...
> The iptables configuration is as follows:
>
> $ sudo iptables -L
> Output:
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> I have read that with this configuration, my browser only accepts data from
> the Internet, if it has requested the data. This means that all packets that
> the browser has not requested are dropped.
I doubt that you have read that. It is wrong. Your remaining questions are
based on an assumption which is false, and therefore need no answer.
You really should read some of the documentation which I mentioned in
my previous reply to you.
--
73,
Ged.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-11-03 23:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-03 13:23 learning to understand iptables serando
2021-11-03 15:51 ` G.W. Haywood
2021-11-03 18:25 ` serando
2021-11-03 19:17 ` Reindl Harald
2021-11-03 23:40 ` G.W. Haywood
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.