LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 06-13-2008, 05:06 PM   #16
Gins
Senior Member
 
Registered: Jul 2004
Location: Germany
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662

Original Poster
Rep: Reputation: 47

Thanks acid kewpie

I read a lot of online stuff and a bought a book called Linux iptables.
ISBN -10: 0-596-00569-5

Those online materials tell how to block or allow websites.
So I know how to block a specific website using IPtables.
Still it is not clear for me the purpose of using IPtables.
I hope the blocking and allowing certain websites are called filtering. Please correct me.

I think it is fine to say those Ethernet sockets as holes.
 
Old 06-13-2008, 09:11 PM   #17
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
Are you sure you have a CISCO certification?
 
Old 06-14-2008, 01:59 PM   #18
Gins
Senior Member
 
Registered: Jul 2004
Location: Germany
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662

Original Poster
Rep: Reputation: 47
Tinkster touched on the subject of Cisco certification.
No I have not tried those tests as yet.

I have some knowledge of Cisco as I studied them nearly 3 years ago. At home I have a Cisco router simulator too. So I practice Cisco commands when I find time.

In Cisco, you could block certain websites and I know how to do it. Those are caled ACL.
ACL stands for Access Control Lists.

I hope somebody will answer to my post 16.
 
Old 06-14-2008, 06:52 PM   #19
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
iptables is a net-filter; you can apply varied rule-sets. If you
have even a basic understanding of ACLs you should know what iptables
is about.

From the man-pages you love so much:
Quote:
Code:
DESCRIPTION
       Iptables is used to set up, maintain, and inspect the tables of IP packet
       filter rules in the  Linux  kernel.   Several  different  tables  may  be
       defined.   Each  table  contains a number of built-in chains and may also
       contain user-defined chains.

       Each chain is a list of rules which can match a  set  of  packets.   Each
       rule  specifies  what to do with a packet that matches.  This is called a
       `target', which may be a jump to a user-defined chain in the same  table.
Keep on reading from there - excellent info.


That said: no, if you don't use your Linux machine as THE router iptables
won't do you much good in the first place. Keep reading about the holes,
and try to get an understanding of IP networking before you dabble with
iptables ...


Cheers,
Tink
 
Old 06-15-2008, 06:03 AM   #20
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
you do *NOT* "block websites" with iptables, you filter TCP/IP traffic. you *really* need to realise what the difference is there.
 
Old 06-15-2008, 06:34 AM   #21
Gins
Senior Member
 
Registered: Jul 2004
Location: Germany
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662

Original Poster
Rep: Reputation: 47
Thanks acid kewpie for the comments.
I recognize you very well. You have been around us for a long time. You know many aspects in open source.

It seems you don't like my way of describing IPtables.
Instead of using the word blocking I must learn to write filtering.

When I was studying Cisco, it was blocking or stopping. ACL are not for filtering. My Cisco books don't use the word filtering.
 
Old 06-15-2008, 06:49 AM   #22
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Gins, the question is not about blocking or filtering as words. The question is about what you filter or block.

If you say ‘‘site’’, it is probable that you mean HTTP entities. So, 2 sites with different domain names and different owners but on the same shared hosting are surely different sites. But iptables is not about sites. iptables are about IP packets. So if two packets go to the same IP address (for example to the same physical server with only one interface and without additional addresses bound to the same interface card), they may have different destination sites but the same destination IP address. iptables will not think they have different destinations.

If you want to filter or block sites with iptables, you need to configure transparent proxying, i.e. all the traffic going to port 80 (http) will be intercepted and redirected to an HTTP proxy, which will assemble full requests (not separate packets, which can carry only parts of requests) and analyze them.
 
Old 06-15-2008, 01:07 PM   #23
Gins
Senior Member
 
Registered: Jul 2004
Location: Germany
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662

Original Poster
Rep: Reputation: 47
Raskin, you have given a simple excellent explanation.

Let us take two different HTTP entities.

www.google.com [ 66.249.91.147]
www.yahoo.com [ 87.248. 113. 14]

Let us say I have single Linux server and 2 or 3 desktop computers which run on Linux. I will connect my router to share the computers.

The packets from the above sites will arrive at my server.
What shall I do with IPtables in the above example?
[ I think I need two NICs on my server.]
 
Old 06-15-2008, 01:18 PM   #24
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
Quote:
Originally Posted by Gins View Post
Raskin, you have given a simple excellent explanation.

Let us take two different HTTP entities.

www.google.com [ 66.249.91.147]
www.yahoo.com [ 87.248. 113. 14]

Let us say I have single Linux server and 2 or 3 desktop computers which run on Linux. I will connect my router to share the computers.

The packets from the above sites will arrive at my server.
What shall I do with IPtables in the above example?
[ I think I need two NICs on my server.]

Nothing. You shall go back and re-visit the second part
of my post above.

You obviously have no understanding of the very basics
of traffic flow on a LAN. If your other computers connect
to your router their web-traffic won't even touch your
Linux machine, so whatever you do with IPtables there in an
attempt to block certain websites is futile. How about you
go back to the gym instead?



Cheers,
Tink
 
Old 06-15-2008, 01:23 PM   #25
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Congrats Gins, a very good bad example of using google.com there. google.com has LOTS of IP addresses and adds and removes them as they see fit. You would *NEVER* block google by IP in iptables. you would block it my the use of a proxy.

As others have mentioned, I am not picking up on mere terminology but highly differing functionality, and your lack of acknowledgement of that just goes to compound the fact that you really don't have even the basis of a knowledge of most of the constituent parts of this thread.
 
Old 06-15-2008, 03:14 PM   #26
Gins
Senior Member
 
Registered: Jul 2004
Location: Germany
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662

Original Poster
Rep: Reputation: 47
I never learnt IPtables. I have never worked with them.
So it is correct to say that I have no any basic knowledge of IPtables.

This is not the case with Cisco routing. I studied them at school and practice them too. However, I am no expert in Cisco routing. There are things I have never worked in Cisco routing. Now VOIP is on the rise. I must learn stuff like VOIP and MPLS in Cisco.
 
Old 06-15-2008, 06:42 PM   #27
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
How are you going to resolve VoIP issues if you don't understand the
traffic flow on your home network? Learn to crawl and walk before trying
to run ...


Cheers,
Tink
 
Old 06-16-2008, 03:35 AM   #28
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
MPLS? No chance. I seriously struggle with MPLS concepts and I am a certified professional network engineer...
 
Old 06-17-2008, 07:04 AM   #29
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
http://www.mccme.ru/ium/postscript/f...inetwork.ps.gz

- it is a good and simple introduction into basic internet concepts (the lecture notes correspond to a course read in Russian, but they are in English despite .ru domain). You will understand from it which box should be touched by which packet.. A computer cannot affect a packet it doesn't see.
 
Old 06-18-2008, 10:04 AM   #30
Gins
Senior Member
 
Registered: Jul 2004
Location: Germany
Distribution: open SUSE 11.0, Fedora 7 and Mandriva 2007
Posts: 1,662

Original Poster
Rep: Reputation: 47
Thanks raskin.
It is a good site.
You speak Russian. I do speak some Russian too. I have studied Russian and I have been to Russia many times. During the cold war period I flew, several times, with Russian Aeroflot.

For me Russian is a beautiful language. Nowadays my Russian is rotten. Sometimes I look at the Russian channel. I have cable TV at home.


Probably I will take a Russian course in autumn.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 05:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 03:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration