LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-07-2005, 08:16 AM   #1
eranb2
Member
 
Registered: Dec 2004
Location: israel
Distribution: centos
Posts: 41

Rep: Reputation: 15
iptables tracking machine


Hi
I'm trying to understand ho it works.
1. droped all in out packets
2. accepted related and established connections.
cant connect to my dsl provider because name server dosnt found.
this is what I gave him
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptbles -L gives:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Thanks
Eran
 
Old 01-07-2005, 09:49 AM   #2
twsnnva
Member
 
Registered: Oct 2003
Location: Newport News, Va
Distribution: Debian
Posts: 246

Rep: Reputation: 30
You probably have the "DROP ALL" rules before the ALLOW rules, which would cause your problem. Instead of using rules to drop everyting, you could use a policy. Try using a script like this.
Code:
#This flushes all rules
iptables -F 

#This flushes all nat rules
iptables -F -t nat 

#This deletes any user defined chains
iptables -X 

#This sets the INPUT chain's policy to drop by default
iptables -P INPUT DROP 

#This sets the OUTPUT chain's policy  to drop by default
iptables -P OUTPUT DROP 

#This sets the FORWARD chain's policy to drop by default
iptables -P FORWARD DROP 

#This allows any related traffic back to the system to be accepted
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#This allows all traffic out of the system
iptables -A OUTPUT -j ACCEPT
Thomas
 
Old 01-07-2005, 10:46 AM   #3
eranb2
Member
 
Registered: Dec 2004
Location: israel
Distribution: centos
Posts: 41

Original Poster
Rep: Reputation: 15
dont understand

Hi
thanks for replying

do you meen I need to put all the allow before the drop rules?
any way I did what you say and still can't connect
this is what i get:

out;: Host name lookup failure
fatal[get_ip_addressptp.c:236]: gethostbyname: name server error
SIOCADDRT: File exists

I did what this link says and its same as your idea, but not working.

Eran
 
Old 01-07-2005, 10:50 AM   #4
eranb2
Member
 
Registered: Dec 2004
Location: israel
Distribution: centos
Posts: 41

Original Poster
Rep: Reputation: 15
I forgot

whats the difference between policy drop and
iptables -I INPUT -j DROP ?

Eran
 
Old 01-07-2005, 11:12 AM   #5
eranb2
Member
 
Registered: Dec 2004
Location: israel
Distribution: centos
Posts: 41

Original Poster
Rep: Reputation: 15
ok , i think i understand now.
i add
iptables -A INPUT -p udp --sport 53 -j ACCEPT
and working
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES with SENDMAIL on local machine bradb21 Linux - Networking 5 06-03-2005 11:01 AM
Tracking internet usage with iptables mdkelly069 Linux - Networking 7 09-13-2004 11:13 AM
iptables on server machine ichitaka Linux - Networking 2 07-11-2004 05:29 PM
Iptables Need It To Route To A Windows Machine For Remote Desktop sal_paradise42 Linux - General 2 11-11-2003 08:20 PM
snort and iptables on same machine cestor Linux - Security 8 06-13-2002 03:32 AM


All times are GMT -5. The time now is 05:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration