Re: iptables and lokkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Michael.  You're right, 4x.
Below is the  iptables-save output followed by the -L output.  The -L
output incorrectly puts the source and destination as "anywhere", when
in fact it's just open for lo.  Is this a bug or a "simplification"?

Thanks,

John

> On Fri, 4 Jul 2003 13:01:14 -0400, John Meagher wrote:
>
> > [root@xxxxxxxxx sysconfig]# iptables -L
>
> You'll find that the output of "iptables-save" is much more
> readable and complete. If I had to use "iptables -L", I would
> add option "-v" (--verbose). But iptables-save is great.
>
> > 1) Why does Lokkit put that first rule in there? And since it's
there,
> > why doesn't it work?
> > Shouldn't it cause the rest of the rules to be ignored?
>
> "iptables -L" usually does not include enough details.
>
> > 2) Why does a second, identical rule get honored, (i.e. the firewall
is
> > opened up)
> > if I add it with "iptables -I RH-Lokkit-0-50-INPUT 1 -j ACCEPT"
>
> This may be a completely different rule.
>
> > 3) Lokkit uses options -p udp -m udp in the rules it puts in
> > /etc/sysconfig/iptables.
> > What's the -m option?  There was a -m for mark in ipchains, but that
> > doesn't seem relevant.
>
> - -m is short for --match, see "man iptables", MATCH EXTENSIONS.



[root@xxxxxxxxx sysconfig]# iptables-save
# Generated by iptables-save v1.2.7a on Fri Jul  4 14:36:46 2003
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2843:194407]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 209.249.176.5 -p udp -m udp --sport 53 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -s 209.249.176.7 -p udp -m udp --sport 53 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j
REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with
icmp-port-unreachable
COMMIT
# Completed on Fri Jul  4 14:36:46 2003
[root@xxxxxxxxx sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  monroe.patriot.net   anywhere           udp
spt:domain
ACCEPT     udp  --  jackson.patriot.net  anywhere           udp
spt:domain
REJECT     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp
reject-with icmp-port-unreachable
[root@xxxxxxxxx sysconfig]#
[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux