LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-06-2005, 05:17 AM   #1
sti2envy
Member
 
Registered: Sep 2004
Posts: 43

Rep: Reputation: 15
numbers in /etc/sysconfig/iptables


some output off my /etc/sysconfig/iptables file...just wondering if anyone knows what the number in the square brackets means and for??

*nat
:OUTPUT ACCEPT [6656:522729] <----these numbers
:POSTROUTING ACCEPT [6656:522729]
:PREROUTING ACCEPT [8865:861931]
COMMIT

*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [115304:75337209]
:OUTPUT ACCEPT [100633:8106296]
:POSTROUTING ACCEPT [100928:8144750]
:PREROUTING ACCEPT [115311:75337613]

There are also numbers in ip rule..?
# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

also was wondering why would someone wanna create their own chain instead of using the iptable's default output,input...etc...? how would iptables know when to process a customised chain if i would to create one call prerouting_temp? will it know to read it during the prerouting process? Thanks

Last edited by sti2envy; 10-06-2005 at 05:21 AM.
 
Old 10-06-2005, 08:24 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Those numbers are the packet and byte counters for each chain. The first number indicates the number of packets that have been processed by that chain. The second lists the total number of bytes in those packets.

The numbers in ip route show are entirely different and are the routing table priority indicators. There is some info describing what each prority does in the ip man page.

why would someone wanna create their own chain instead of using the iptable's default output,input...etc...?
When creating your own firewall rules user-defined chains are handy for splitting traffic off into different "branches" so that every single packet doesn't have to flow through all of the firewall rules in a linear manner. This can make the firewall faster and more efficient. A good example of this would be rules to check for invalid packet flag combinations (like SYN FIN, or Xmas scan). It doesn't make sense to have UDP of ICMP traffic checked against those rules, since only TCP uses them. So often you'll see a "Bad Flags" chain that has only TCP traffic passed to it and filters those illegal packets.

how would iptables know when to process a customised chain if i would to create one call prerouting_temp?
First you need to define the chain use the -N switch, then you need to actually pass traffic to the user-defined chain, like this for example:
Code:
iptables -N MY_CHAIN
iptables -A INPUT -p tcp -j MY_CHAIN
iptables -A MYCHAIN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       #DROP SYN-FIN SCANS
will it know to read it during the prerouting process?
If you put it in the nat table and hand the packets from the PREROUTING chain over to the user-defined chain, then yes it would.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables in sysconfig?? Mibble Red Hat 6 10-16-2005 09:37 PM
iptables -P vs :OUTPUT in /etc/sysconfig/iptables TomF Linux - Security 2 04-14-2005 10:50 PM
etc/sysconfig/iptables file explinations Junior24 Linux - General 3 12-07-2004 01:35 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 09:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration