At 17:31 11/11/2002, you wrote:
I'm having a hard time deciphering iptables rules. Would any of these rules cause a "sendto: operation not permitted" error?Short answer: Probably not.
Long answer: Yes, but only if your IP is in the range 10.0.0.0/24, and if it was, well, you wouldn't be able to send any traffic at all.
Also, your IPTables config is kinda weird. There are several redundant rules in there, notably the DROP rule at the end of each chain (since your policy on each chain is DROP, IPTables will automatically drop any packets not captured by a rule at the end of a chain), and the ACCEPT and DROP rules relating to 10.0.0.0/24 in the OUTPUT chain (IPTables runs through a chain in a top to bottom linear fashion. Thus, allowing packets going to a destination and then later dropping them is kinda silly).
The IPTables documentation on the netfilter (aka iptables) site is very good. I'd suggest you read some of it. http://www.netfilter.org
HTH,
Matt
bunbun:~# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ipac_in all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- 10.0.0.0/24 anywhere
LOG !tcp -- anywhere 224.0.0.0/4 LOG level warning
DROP !tcp -- anywhere 224.0.0.0/4
LOG all -- 10.0.0.0/24 anywhere LOG level warning
DROP all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere 255.255.255.255
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ipac_in all -- anywhere anywhere
ipac_out all -- anywhere anywhere
ACCEPT all -- 10.0.0.0/24 anywhere
LOG all -- anywhere 10.0.0.0/24 LOG level warning
DROP all -- anywhere 10.0.0.0/24
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ipac_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 10.0.0.0/24
ACCEPT !tcp -- anywhere 224.0.0.0/4
LOG all -- anywhere 10.0.0.0/24 LOG level warning
DROP all -- anywhere 10.0.0.0/24
ACCEPT all -- anywhere 255.255.255.255
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
The ipac_in and ipac_out rules consist only of LOG targets, so I haven't included them.
cheers,
rob
--
Decisions terminate panic.
This is random quote 417 of a collection of 1255
Distance from the centre of the brewing universe:
[15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian
Public Key fingerprint = 6219 33BD A37B 368D 29F5 19FB 945D C4D7 1F66 D9C5
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
-- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
