On Monday 04 July 2005 13:36, John Sasso Jr wrote:
> I'm curious - for the sample configuration I gave in my original
> posting, why would:
>
> iptables -A OUTPUT -o eth0 -s 192.168.50.100 -p icmp --icmp-type
> echo-request -j ACCEPT
>
> fail to permit a packet originating from my system out? I understand
Try inserting a LOG rule ahead of that ...
iptables -I OUTPUT -o eth0 -j LOG
and watch your kernel logs while trying to ping. Check the counters,
with "iptables -vnL". Are they incremented for each ping sent? If so,
they matched the rule, if not, they didn't.
Maybe the replies aren't matching. Repeat the above steps for INPUT.
Soon enough you will find out why it didn't work.
Or not. Actually I bet you will find that no pings were sent. What do
you have for "ls -l `which ping`"? Is it SUID?
$ v `which ping`
-rws--x--x 1 root bin 29232 2004-11-03 22:55 /bin/ping
^
That little "s" there is necessary for non-root users.
> what "iptables -P OUTPUT ACCEPT" does, and I am not arguing the logic
> behind using that instead for my situation, but I'm wondering if
> packet filtering operates differently for traffic originated by a
> firewall as opposed to traversing a firewall.
OUTPUT is the chain that sees the packets which originated on the
firewall machine. Packet matching follows the same principle in all
tables and chains.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
