On Wed, 2003-08-27 at 23:13, Jacob Anawalt wrote: > #192.168.1.1 doesn't get any traffic from us > iptables -A OUTPUT -d 192.168.1.1 -j DROP > > That's the 'plumbing' level access to iptables which works for all Linux kernels > supporting iptables, irreguardless of distribution. In other words, your rules > failing on Debian should fail on RH or Mandrake.
I think I've gotten a lot of the concept now, but this isn't what I meant. Initially I was coming from an understanding of "fstab is a static file of rules the system reads to set up mounts, .gtkrc is a static file of rules the system reads to set up GUI"... Later, there is the issue of when is the system in a configuration where it needs firewall rules? The Debian manual says runlevels 2-5 are user runlevels - these are enshrined in the update-rc.d defaults. K(ill) links are created by default in runlevels 0, 1, 6. Ok. But my network is up in runlevel 1. (From "telinit 1". I haven't tried it from the boot prompt.) And then there's the question of coordination with who-knows-what other systems that are or aren't starting, stopping, etc. I meant a picture of where the rules are kept, how they're initialized, and what the implications are. I can find many sites with info about how to write rules that do X. I couldn't find a site that told me what file to put them in. Now I know there isn't one, and some other things about it all... > A better post might be: > What am I doing wrong with iptables rules > > Here are my rules. They block all access to the internet, but I cant see > why. > #iptables -L > <output from command> > #iptables -t <other table(s)> -L > <output from command(s)> I've appended my current rules. Email fetches from my pop3 account ok, but the browser doesn't connect. > It's pretty apparent that this text has bothered you. Perhaps you could > post a bug against /etc/default/ipchains with a patch adding additional > helpfull text, like a pointer to netfilter.org and the > /usr/share/doc/ipchains/README.Debian.gz file and whatever other > information you think is helpful for newbies. > > The solution isn't broken. 'Works for me' :) It just isn't optimal as > the other posters have pointed out. The ifup-down method sounds very > sensible. I didn't have an issue with the text, infact I had a good > laugh reading it when I set up my sysem for /etc/init.d/iptables. I may. For now, I am going to keep studying until I do understand. Then I'll be in a better position to say why I think this isn't good language (if I still think it isn't when I get there). Cheers, Bret eth0: 192.168.2.30 assigned by DHCP from gateway/router on cable modem. This is where I browse from. vmnet1: 192.168.174.1 virtual network device to communicate with VMware Windows 98 session. Requires no access to the outside. A bridge to eth0 provides Internet access from VMware. (I think.) iptables -t nat -L: Chain PREROUTING (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere Chain POSTROUTING (policy DROP) target prot opt source destination MASQUERADE all -- 192.168.174.0/24 anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere iptables -L: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- ganesha anywhere ACCEPT all -- 192.168.2.30 anywhere ACCEPT all -- 192.168.174.1 anywhere DROPl all -- anywhere 255.255.255.255 DROPl all -- anywhere 192.168.174.255 DROPl all -- anywhere !192.168.2.30 DROPl all -- !192.168.174.0/24 anywhere DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux DROPl tcp -- anywhere anywhere tcp dpt:daytime DROPl tcp -- anywhere anywhere tcp dpt:linuxconf DROPl tcp -- anywhere anywhere tcp dpt:sunrpc DROPl tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn DROPl tcp -- anywhere anywhere tcp dpts:161:162 DROPl tcp -- anywhere anywhere tcp dpt:445 DROPl tcp -- anywhere anywhere tcp dpt:1214 DROPl tcp -- anywhere anywhere tcp dpt:1999 DROPl tcp -- anywhere anywhere tcp dpt:2049 DROPl tcp -- anywhere anywhere tcp dpt:3049 DROPl tcp -- anywhere anywhere tcp dpt:4329 DROPl tcp -- anywhere anywhere tcp dpt:6346 DROPl tcp -- anywhere anywhere tcp dpt:3128 DROPl tcp -- anywhere anywhere tcp dpt:8000 DROPl tcp -- anywhere anywhere tcp dpt:www DROPl tcp -- anywhere anywhere tcp dpt:8 DROPl tcp -- anywhere anywhere tcp dpt:webcache DROPl tcp -- anywhere anywhere tcp dpt:12345 DROPl tcp -- anywhere anywhere tcp dpt:65535 DROPl tcp -- anywhere anywhere tcp dpt:linuxconf DROPl tcp -- anywhere anywhere tcp dpts:exec:printer DROPl tcp -- anywhere anywhere tcp dpt:socks DROPl tcp -- anywhere anywhere tcp dpts:x11:6009 DROPl tcp -- anywhere anywhere tcp dpt:6112 DROPl udp -- anywhere anywhere udp dpts:0:1 DROPl udp -- anywhere anywhere udp dpt:daytime DROPl udp -- anywhere anywhere udp dpt:98 DROPl udp -- anywhere anywhere udp dpt:sunrpc DROPl udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap DROPl udp -- anywhere anywhere udp dpt:445 DROPl udp -- anywhere anywhere udp dpt:1214 DROPl udp -- anywhere anywhere udp dpt:1999 DROPl udp -- anywhere anywhere udp dpt:2049 DROPl udp -- anywhere anywhere udp dpt:3049 DROPl udp -- anywhere anywhere udp dpt:4329 DROPl udp -- anywhere anywhere udp dpt:6346 DROPl udp -- anywhere anywhere udp dpt:3128 DROPl udp -- anywhere anywhere udp dpt:8000 DROPl udp -- anywhere anywhere udp dpt:www DROPl udp -- anywhere anywhere udp dpt:8 DROPl udp -- anywhere anywhere udp dpt:webcache DROPl udp -- anywhere anywhere udp dpt:12345 DROPl udp -- anywhere anywhere udp dpt:65535 DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap DROPl udp -- anywhere anywhere udp dpt:route DROPl udp -- anywhere anywhere udp dpt:ntp DROPl udp -- anywhere anywhere udp dpts:talk:ntalk DROPl udp -- anywhere anywhere udp dpt:1427 DROPl udp -- anywhere anywhere udp dpt:9000 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:auth flags:SYN,RST,ACK/SYN state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROPl all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DROPl all -- anywhere 255.255.255.255 DROPl all -- anywhere 192.168.174.255 DROPl all -- !192.168.174.0/24 anywhere DROPl icmp -- anywhere anywhere icmp !echo-request DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux DROPl tcp -- anywhere anywhere tcp dpt:daytime DROPl tcp -- anywhere anywhere tcp dpt:linuxconf DROPl tcp -- anywhere anywhere tcp dpt:sunrpc DROPl tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn DROPl tcp -- anywhere anywhere tcp dpts:161:162 DROPl tcp -- anywhere anywhere tcp dpt:445 DROPl tcp -- anywhere anywhere tcp dpt:1214 DROPl tcp -- anywhere anywhere tcp dpt:1999 DROPl tcp -- anywhere anywhere tcp dpt:2049 DROPl tcp -- anywhere anywhere tcp dpt:3049 DROPl tcp -- anywhere anywhere tcp dpt:4329 DROPl tcp -- anywhere anywhere tcp dpt:6346 DROPl tcp -- anywhere anywhere tcp dpt:3128 DROPl tcp -- anywhere anywhere tcp dpt:8000 DROPl tcp -- anywhere anywhere tcp dpt:www DROPl tcp -- anywhere anywhere tcp dpt:8 DROPl tcp -- anywhere anywhere tcp dpt:webcache DROPl tcp -- anywhere anywhere tcp dpt:12345 DROPl tcp -- anywhere anywhere tcp dpt:65535 DROPl tcp -- anywhere anywhere tcp dpt:linuxconf DROPl tcp -- anywhere anywhere tcp dpts:exec:printer DROPl tcp -- anywhere anywhere tcp dpt:socks DROPl tcp -- anywhere anywhere tcp dpts:x11:6009 DROPl tcp -- anywhere anywhere tcp dpt:6112 DROPl udp -- anywhere anywhere udp dpts:0:1 DROPl udp -- anywhere anywhere udp dpt:daytime DROPl udp -- anywhere anywhere udp dpt:98 DROPl udp -- anywhere anywhere udp dpt:sunrpc DROPl udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap DROPl udp -- anywhere anywhere udp dpt:445 DROPl udp -- anywhere anywhere udp dpt:1214 DROPl udp -- anywhere anywhere udp dpt:1999 DROPl udp -- anywhere anywhere udp dpt:2049 DROPl udp -- anywhere anywhere udp dpt:3049 DROPl udp -- anywhere anywhere udp dpt:4329 DROPl udp -- anywhere anywhere udp dpt:6346 DROPl udp -- anywhere anywhere udp dpt:3128 DROPl udp -- anywhere anywhere udp dpt:8000 DROPl udp -- anywhere anywhere udp dpt:www DROPl udp -- anywhere anywhere udp dpt:8 DROPl udp -- anywhere anywhere udp dpt:webcache DROPl udp -- anywhere anywhere udp dpt:12345 DROPl udp -- anywhere anywhere udp dpt:65535 DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap DROPl udp -- anywhere anywhere udp dpt:route DROPl udp -- anywhere anywhere udp dpt:ntp DROPl udp -- anywhere anywhere udp dpts:talk:ntalk DROPl udp -- anywhere anywhere udp dpt:1427 DROPl udp -- anywhere anywhere udp dpt:9000 ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:www flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:https flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ftp-data flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:pop3 flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:pop3s flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:imap3 flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:imaps flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:11371 flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:time flags:SYN,RST,ACK/SYN state NEW ACCEPT udp -- 192.168.174.0/24 anywhere udp dpt:domain state NEW ACCEPT udp -- 192.168.174.0/24 anywhere udp dpt:time state NEW ACCEPT icmp -- 192.168.174.0/24 anywhere icmp echo-request state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROPl all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination DROPl all -- anywhere 255.255.255.255 DROPl all -- anywhere 192.168.174.255 DROPl all -- anywhere !192.168.174.0/24 DROPl all -- !192.168.2.0/24 anywhere DROPl icmp -- anywhere anywhere icmp !echo-request DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux DROPl tcp -- anywhere anywhere tcp dpt:daytime DROPl tcp -- anywhere anywhere tcp dpt:linuxconf DROPl tcp -- anywhere anywhere tcp dpt:sunrpc DROPl tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn DROPl tcp -- anywhere anywhere tcp dpts:161:162 DROPl tcp -- anywhere anywhere tcp dpt:445 DROPl tcp -- anywhere anywhere tcp dpt:1214 DROPl tcp -- anywhere anywhere tcp dpt:1999 DROPl tcp -- anywhere anywhere tcp dpt:2049 DROPl tcp -- anywhere anywhere tcp dpt:3049 DROPl tcp -- anywhere anywhere tcp dpt:4329 DROPl tcp -- anywhere anywhere tcp dpt:6346 DROPl tcp -- anywhere anywhere tcp dpt:3128 DROPl tcp -- anywhere anywhere tcp dpt:8000 DROPl tcp -- anywhere anywhere tcp dpt:www DROPl tcp -- anywhere anywhere tcp dpt:8 DROPl tcp -- anywhere anywhere tcp dpt:webcache DROPl tcp -- anywhere anywhere tcp dpt:12345 DROPl tcp -- anywhere anywhere tcp dpt:65535 DROPl tcp -- anywhere anywhere tcp dpt:linuxconf DROPl tcp -- anywhere anywhere tcp dpts:exec:printer DROPl tcp -- anywhere anywhere tcp dpt:socks DROPl tcp -- anywhere anywhere tcp dpts:x11:6009 DROPl tcp -- anywhere anywhere tcp dpt:6112 DROPl udp -- anywhere anywhere udp dpts:0:1 DROPl udp -- anywhere anywhere udp dpt:daytime DROPl udp -- anywhere anywhere udp dpt:98 DROPl udp -- anywhere anywhere udp dpt:sunrpc DROPl udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap DROPl udp -- anywhere anywhere udp dpt:445 DROPl udp -- anywhere anywhere udp dpt:1214 DROPl udp -- anywhere anywhere udp dpt:1999 DROPl udp -- anywhere anywhere udp dpt:2049 DROPl udp -- anywhere anywhere udp dpt:3049 DROPl udp -- anywhere anywhere udp dpt:4329 DROPl udp -- anywhere anywhere udp dpt:6346 DROPl udp -- anywhere anywhere udp dpt:3128 DROPl udp -- anywhere anywhere udp dpt:8000 DROPl udp -- anywhere anywhere udp dpt:www DROPl udp -- anywhere anywhere udp dpt:8 DROPl udp -- anywhere anywhere udp dpt:webcache DROPl udp -- anywhere anywhere udp dpt:12345 DROPl udp -- anywhere anywhere udp dpt:65535 DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap DROPl udp -- anywhere anywhere udp dpt:route DROPl udp -- anywhere anywhere udp dpt:ntp DROPl udp -- anywhere anywhere udp dpts:talk:ntalk DROPl udp -- anywhere anywhere udp dpt:1427 DROPl udp -- anywhere anywhere udp dpt:9000 ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:www flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:https flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ftp-data flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:pop3 flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:pop3s flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:imap3 flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:imaps flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:11371 flags:SYN,RST,ACK/SYN state NEW ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:time flags:SYN,RST,ACK/SYN state NEW ACCEPT udp -- 192.168.2.30 anywhere udp dpt:domain state NEW ACCEPT udp -- 192.168.2.30 anywhere udp dpt:time state NEW ACCEPT icmp -- 192.168.2.30 anywhere icmp echo-request state NEW ACCEPT icmp -- 192.168.174.0/24 anywhere icmp echo-request state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECTl all -- anywhere anywhere Chain DROPl (168 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `DROPl:' DROP all -- anywhere anywhere Chain REJECTl (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `REJECTl:' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]