Re: Dropping Connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Elvir Kuric wrote:
Hi Tolga, 
iptables working in way that it first check first
rules that are writen in your firewall script.
So you first have to allow everything you want and
after that to stop traffic you do not wanted.

If you have rules , A, B , C , D written in script in
this order A 
B
C
D
iptables will check rule A first and so on. If rule A
drop some traffic it will be droped even if you allow
it again in rule B, or some other rule after A.
for example iptables -A INPUT -p tcp -m state --state 
NEW,RELATED,ESTABLISHED -j DROP

iptables -A INPUT -p tcp -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT 
the first  rule will be just checked and you will not
be able to accept new connections in INPUT chain (
first rule ) even you allow it in seccond one.
To drop everything you can use for example iptables -A INPUT -s 0/0 -p tcp --syn -j DROP 
iptables -A INPUT -s 0/0 -p udp -j DROP

but apply these rules after all your rules that allow
necessary traffic.
I recommend you to read ( in my opinion the best
manual  I ever read )
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


So conclusion will be,iptables looks first rules
first.
See of course man iptables.
Regards 
Elvir Kuric
To drop everything you can use for example iptables -A INPUT -s 0/0 -p tcp --syn -j DROP 
iptables -A INPUT -s 0/0 -p udp -j DROP



Why no just:
 iptables -A INPUT -j DROP



but apply these rules after all your rules that allow
necessary traffic.
I recommend you to read ( in my opinion the best
manual  I ever read )
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


So conclusion will be,iptables looks first rules
first.
See of course man iptables.
Regards Elvir Kuric 

--- Tolga Onbay <tolgaonbay@xxxxxxxxx> wrote:


Hi,

I want to drop all connections from/to subnet if I
don't allow. For example, accept msnmessenger
protocol with l7-filter and forward all 80
connections to content filtering software. Then I
want to drop all connections. I write the rules and
add the default action type to Drop. But now the
clients cannot connect to msnmessenger. (I write the
msnmessenger rule to FORWARD chain) 
Also, noone answer my previous mail, If I asked to
wrong group or something wrong with the subject
please remind me.

Thanks


Tolga


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around http://mail.yahoo.com 





__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux