LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-13-2011, 02:54 PM   #1
cwhiteacre
LQ Newbie
 
Registered: Jan 2011
Posts: 3

Rep: Reputation: 0
iptables


I am new to Linux, but have grown very fond of it over the last six months. I am having a little trouble with the correct syntax for iptables so any advice would be appreciated:

When deleting a rule, when is better to use DROP instead of REJECT and vice versa??

Also, please provide some basic info. for the use of MASQUERADE??

Last edited by cwhiteacre; 01-13-2011 at 02:55 PM. Reason: mispelling
 
Old 01-13-2011, 03:18 PM   #2
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,254

Rep: Reputation: 315Reputation: 315Reputation: 315Reputation: 315
On the personal PC in home or work better is using DROP, and if your PC has public services for other people, like www, mail, better is REJECT. But it also depends on what are blocking. If you known that this rule is for block intruders, use DROP, to not providing them any response. And if you want, for example, in your home network, to block ICMP, but someday, you want to use ping to trace network problem, the REJECT rule give you proper response.

MASQUERADE is used when your PC has private IP and your public IP is not static.

Last edited by eSelix; 01-13-2011 at 03:23 PM.
 
Old 01-13-2011, 03:21 PM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Hi, welcome to LQ!



Quote:
Originally Posted by cwhiteacre View Post
I am new to Linux, but have grown very fond of it over the last six months. I am having a little trouble with the correct syntax for iptables so any advice would be appreciated:

When deleting a rule, when is better to use DROP instead of REJECT and vice versa??
You wouldn't use either of those on rules; they're PART of a rule, defining a
different target chain.

To delete a rule you use "-D" or "--delete".

Quote:
Originally Posted by cwhiteacre View Post
Also, please provide some basic info. for the use of MASQUERADE??
Masquerade is important if your machine acts as a router, and maps
IP addresses on your private LAN to your public IP assigned by your ISP.



Cheers,
Tink
 
Old 01-13-2011, 05:14 PM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,064

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
I don't want to seem unhelpful, but I am aware that, at best, I will seem to be nit picking. I would allege that there is no useful statement that can be made on this subject without being careful about the exact meaning, but if you like, you can try to construct a firewall that only approximately does the right thing...

Quote:
Originally Posted by cwhiteacre View Post
I am having a little trouble with the correct syntax for iptables so any advice would be appreciated
So, you have warmed me up for a specific question on the syntax of IPTABLES commands...

Quote:
When deleting a rule, when is better to use DROP instead of REJECT and vice versa??
...and that isn't it. Over at frozentux there is a tutorial (close to a manual) that will tell you everything that you wanted to know about the syntax of iptables commands, and much more besides. (Download a version, rather than use the html...you'll want to look at it several times.)

Deleting a rule, deletes a rule. The rule isn't there any more. It has gone. It has become an ex-rule and joined the choir invisible.

A rather different question is whether it is better to drop or reject. This applies to chains and is a matter of taste and/or which bad thing you dislike the least. If you 'drop' ....perhaps better described as 'silently drop'... you just discard the packet and don't send any message to the packet's originator. This isn't entirely RFC-compliant, so you have broken one of the standards that holds the internet together (boo! hiss! dead parrots!*), but there are some situations in which you have deprived a potential miscreant of some information that they would have considered helpful (hurray! wonderful! live parrots!), so this may be considered more secure.

OTOH, if you reject (send a helpful message back to the originator telling them that you didn't think much of their beautiful packet and are putting it in the bit bucket) the opposite happens; you have complied with the appropriate standard (RFC) but you may have helped someone who maybe you would rather not helped.

If you are happy with actually thinking about the situations which occur, you may be able to think of some situations which can only occur on your internal network and you may feel for those situations 'help in debugging' outweighs 'RFC compliance' and for situations in which some external actor could take advantage 'security' outweighs 'RFC compliance' and/or 'help in debugging'. Or not, to taste.

And, while I am here, it is sometimes said that setting a chain's policy (I know that you didn't mention the word 'policy' but it is one of the things that could underlie this question) to drop is somehow rather better than anything else. Bear in mind that a chain with a policy of drop is, functionally, the same as a chain which has drop as its last command, so the advantage for a policy of drop is essentially clarity (if it is more clear) and an obstacle in the way of accidentally (or malevolently) making a mess of the behaviour of the chain.

* PS, broadly, in spite of packet dropping being somewhat non-RFC-compliant, the internet goes on, seemingly without caring that you have done this. Which is perhaps as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Lipipq(iptables) . How do I redirect captured packet to another address with iptables inet905 Programming 0 05-25-2010 02:20 AM
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 05:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration