LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-08-2002, 09:14 AM   #1
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
I'm confused about ipchains


I'm trying to perfect my firewall with ipchains but, I'm confused about this one thing. In what order does teh system look at the rules I apply.
If I entered:

ipchains -A input -p tcp -d 0.0.0.0 23 -j ACCEPT
ipchains -A input -j DENY


Would that allow telnet from all locations and ONLY telnet. Or will the system look at the last rule I entered and work towards the first.

Thanks in advance.
 
Old 01-08-2002, 10:34 AM   #2
JimKyle
Member
 
Registered: Dec 2001
Location: Oklahoma City, OK, USA
Distribution: Xubuntu 16.04 LTS
Posts: 214
Blog Entries: 1

Rep: Reputation: 39
With your example, it will look at the first and work its way down.

However if you use "-I" instead of "-A" that will reverse the order, because the second rule you enter will be inserted ahead of the first one -- which was itself inserted at the head of the input filter chain.

The difference can be critical, when you're setting up rules in something like portsentry. I had to change the original "-A" rule to be "-I" so that the rule added by portsentry would appear before my final catch-all rule!
 
Old 01-08-2002, 12:05 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hmm. JimKyle is right, ipchains always works top-down when using only "-A"'s.

But your (to)addy can't be 0.0.0.0, and it can't have --destination (to) like this, it should be --source (from). If you did mean "from any addy to my addy port 23" I'd add a var $ANY, add the DENY as default policy, the eth0 in case of scalability, and your ip address and then it'd look like this:

ANY="0.0.0.0"
IP="(ip addr here)"

ipchains -P input DENY
ipchains -A input -i eth0 -p tcp -s $ANY -d $IP 23 -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ipchains aolis Debian 1 02-08-2004 12:23 PM
ipchains+how?? zaldyd Linux - Newbie 3 08-12-2003 07:47 AM
IpChains R4z0r Linux - Networking 3 03-01-2002 11:28 AM
ipchains jrocha Linux - Networking 1 01-16-2002 09:14 AM
ipchains help ... please> paulw Linux - Security 3 11-16-2001 11:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration