Re: Learning iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

2009/4/18 Leonardo Carneiro <lscarneiro@xxxxxxxxxxxxxx>:
> Hi everyone,
>
> I'm have a avarage-to-good linux knowlegde, but i'm quite noob when it comes
> about iptables, so i decided to study about.
> I'm reading a lot of articles and blogs, and testing some rules, so far it's
> all going well.
> Right now i'm running a server with tons of rules written by the admin that
> worked here before me, and in the policies session of the script i've found
> theses rules:
>
>   $IPTABLES -P INPUT ACCEPT
>   $IPTABLES -P OUTPUT ACCEPT
>   $IPTABLES -P FORWARD ACCEPT
>   $IPTABLES -F
>   $IPTABLES -t nat -F
>   $IPTABLES -t mangle -F
>   $IPTABLES -X
>
>   $IPTABLES -A INPUT -s $LO_IP -j ACCEPT
>   $IPTABLES -A OUTPUT -d $LO_IP -j ACCEPT
>   $IPTABLES -A INPUT -s $LAN_IP -j ACCEPT
>   $IPTABLES -A OUTPUT -d $LAN_IP -j ACCEPT
>   $IPTABLES -A INPUT -s $INET_IP_DIN -j ACCEPT
>   $IPTABLES -A OUTPUT -d $INET_IP_DIN -j ACCEPT
>
>   $IPTABLES -P INPUT DROP
>   $IPTABLES -P OUTPUT ACCEPT
>   $IPTABLES -P FORWARD DROP

The main thing I couldn't understand is why add just three ACCEPT
rules on a chain, and after set this chains default policy to ACCEPT.
And also, why set OUTPUT to ACCEPT twice!! Is the iptables deaf??

>
> Is there any good reason why someone would set an ACCEPT policy for all
> chains first to withdraw some later? What the benefit of doing this?
>
> Sorry about my poor english.
>
> Tks in advance
> --
>
> *Leonardo de Souza Carneiro*
> *Veltrac - Tecnologia em Logística.*
> lscarneiro@xxxxxxxxxxxxxx <mailto:lscarneiro@xxxxxxxxxxxxxx>
> http://www.veltrac.com.br <http://www.veltrac.com.br/>
> /Fone Com.: (43)2105-5600/
> /Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
> /Londrina- PR/
> /Cep: 86015-010/
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Anymore, be careful when trusting in the old admins script, get
ensured your firewall is safe by reviewing it.

[]'s
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux