LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 04-20-2010, 08:38 PM   #1
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Rep: Reputation: 51
Question iptables: drop rule


hi,

do i have to create a rule for:
Code:
$IPT -A fwalert -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW $RLIMIT -j LOG $LOGLIMIT --log-tcp-options --log-level 4 --log-prefix
to drop rather than log if my table has a default policy of drop with :
Code:
$IPT -t fwalert -P DROP
thanks
 
Old 04-20-2010, 10:52 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mrmnemo View Post
hi,

do i have to create a rule for:
Code:
$IPT -A fwalert -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW $RLIMIT -j LOG $LOGLIMIT --log-tcp-options --log-level 4 --log-prefix
to drop rather than log if my table has a default policy of drop with :
Code:
$IPT -t fwalert -P DROP
thanks
I think something is terribly wrong here. In the first command, you're appending a rule to the fwalert chain (which is user-built, and can therefore not have a policy set on it). In the second command, you're trying to set a policy on a table called fwalert, without specifying to which chain in the table you wish the policy to apply. Needless to say, you can't set a policy for a table either (plus there's no table called fwalert), so I'm not even sure what you're trying to accomplish here. If you can shed light on what your intentions are, surely someone here will be able to help you out, though.

Last edited by win32sux; 04-20-2010 at 11:03 PM.
 
Old 04-21-2010, 12:00 AM   #3
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
THanks For the quick response

Thanks bud.
I have corrected the issue with trying to apply a default POLICY to user defined tables. Thanks for that!

so i guess my question is this. Once a packet gets sent to a table ( fwalert in my case) I can have a rule to drop ALL in the table right?

Code:
$IPT -A fwalert -j DROP
this is after i run some loggin and what not. In my case i am trying to set sections up in a script to make things easy to track. so fwalert, sshdrop, etc ( all which i am defining) will have a default drop if i forget to match something. anyways, would that be correct for my drop?
 
Old 04-21-2010, 12:14 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mrmnemo View Post
Thanks bud.
I have corrected the issue with trying to apply a default POLICY to user defined tables. Thanks for that!

so i guess my question is this. Once a packet gets sent to a table ( fwalert in my case) I can have a rule to drop ALL in the table right?
That's not a table, it's a chain.

Quote:
Code:
$IPT -A fwalert -j DROP
this is after i run some loggin and what not. In my case i am trying to set sections up in a script to make things easy to track. so fwalert, sshdrop, etc ( all which i am defining) will have a default drop if i forget to match something. anyways, would that be correct for my drop?
Yes, if you set a rule like that as the last one in a chain, it will be matched by all packets (since it doesn't have any matches specified). In other words, you can certainly achieve the same results you were seeking originally when you wanted to set a policy for user-built chains. Example:
Code:
$IPT -A fwalert -s 192.168.12.156 -j ACCEPT
$IPT -A fwalert -j DROP
Here, any packet traversing the fwalert chain with a source IP other than 192.168.12.156 will get sent to DROP.

Last edited by win32sux; 04-21-2010 at 12:17 AM.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 04:33 PM
my iptables can't drop ip of 71.6.40.83 38699678 Linux - Newbie 1 04-23-2008 09:22 PM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 03:07 AM
iptables how drop ip address issin Linux - Networking 4 09-02-2004 07:45 AM
how to drop all packets to one host with the default rule of accept dan5009 Linux - Security 1 08-20-2003 06:55 PM


All times are GMT -5. The time now is 07:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration