/dev/rob0 on 17/05/08 20:28, wrote:
On Sat May 17 2008 11:18:38 Adam Hardy wrote:
Assuming that the --log-prefix is correct and that your iptables
machine's IP address is, do tell, WHY are you blocking
OUTPUT? What is your threat model?
Basically I have 3 housemates who I allow on the wireless LAN with
their laptops, and of course they all run windows, so I just want to
make sure. I'd rather not run the risk of someone leaving their PC on
with a spam cannon trojan running. I've forbidden Outlook and MSIE,
so perhaps I'm being too keen, but I figured I'd log what OUTPUT
drops and figure out where it's coming from and whether it's kosher
or not, and adapt when necessary.

In that case, as best as I can tell, you are not understanding what OUTPUT is. Built-in chains in the filter table:
        INPUT  :        Packets destined to the iptables machine
        OUTPUT :        Packets originated from the iptables machine
        FORWARD:        All other (neither source nor dest. is local)
Any given packet hits exactly one chain, with the exception of the loopback interface, which first hits OUTPUT and then INPUT. Note also that the PREROUTING and OUTPUT chains in the nat table can change the filter chain any given packet would hit.

Your housemates would be sending FORWARD traffic, coming in the LAN interface, going out the Internet/external one.

Here's a good netfilter help site:
Unfortunately seems to be down now, but it's in the Google cache. (Dynamic IP, I think it will be back later.)

Ah, sorry. I'm being stupid. I claim sleep deprivation as an excuse.

That site is back up now. I shall check it out.

I'm logging both the OUTPUT and the FORWARD dropped packets. Maybe I am being unnecessarily restrictive re the OUTPUT. But even then I'd feel safer. When I logged the dropped packets arriving on the gateway's INPUT from the internet, it's phenomenal the amount of stuff coming in.


Reply via email to