Re: Need some clarity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



	
	The numbers in [...] are packet counts (iptables -L -n -v )
	Order of rules is important --- packets pass through until they hit match,
	then are handled by that match.  
	Don't try to hand edit the iptables-save file .. create a script to load your
	rules using the iptables command (Oskar Andreasson's iptables Tutorial has 
	several excellent starter scripts)

	By default the best way to build a firewall is to set a policy of DROP on all 
	chains and allow only what you need.
	
	The COMMIT ... think like a database.... *grin* that's what actually applies
	the rules.



On May 27, 2003 02:45 pm, Michael Carroll wrote:
> Hello netfilter development crew,
>
> I have a couple, probably straight foreward questions, but I don't know
> the answers to and would like to just to clear things up a little bit.
>
> # Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
> *nat
>
> :PREROUTING ACCEPT [7595:344053]
> :POSTROUTING ACCEPT [80:4556]
> :OUTPUT ACCEPT [63:3755]
>
> COMMIT
>
> That is what is generated when I first do an 'iptables-save > /dir' now
> I was wondering what all the numbers inside those brackets stood for,
> because when I start to add rules to them those numbers start to change.
> They also add the user defined rules just before the COMMIT.  Does it
> matter in how you type out you iptables rules, like you should DROP
> everything first, then start to 'open' ports up correct?  Also one other
> thing what does the COMMIT mean?
>
> Thank you in advance.
>
> Michael Carroll

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux