The numbers in [...] are packet counts (iptables -L -n -v )
Order of rules is important --- packets pass through until they hit match,
then are handled by that match.
Don't try to hand edit the iptables-save file .. create a script to load your
rules using the iptables command (Oskar Andreasson's iptables Tutorial has
several excellent starter scripts)
By default the best way to build a firewall is to set a policy of DROP on all
chains and allow only what you need.
The COMMIT ... think like a database.... *grin* that's what actually applies
the rules.
On May 27, 2003 02:45 pm, Michael Carroll wrote:
> Hello netfilter development crew,
>
> I have a couple, probably straight foreward questions, but I don't know
> the answers to and would like to just to clear things up a little bit.
>
> # Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
> *nat
>
> :PREROUTING ACCEPT [7595:344053]
> :POSTROUTING ACCEPT [80:4556]
> :OUTPUT ACCEPT [63:3755]
>
> COMMIT
>
> That is what is generated when I first do an 'iptables-save > /dir' now
> I was wondering what all the numbers inside those brackets stood for,
> because when I start to add rules to them those numbers start to change.
> They also add the user defined rules just before the COMMIT. Does it
> matter in how you type out you iptables rules, like you should DROP
> everything first, then start to 'open' ports up correct? Also one other
> thing what does the COMMIT mean?
>
> Thank you in advance.
>
> Michael Carroll
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
