LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2007, 01:46 AM   #1
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Rep: Reputation: 31
/etc/sysconfig/iptables question


From iptables-save I see

Code:
# Generated by iptables-save v1.2.11 on Tue Feb 13 23:42:29 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2239:617321]
:RH-Firewall-1-INPUT - [0:0]
What does the range beside the policy mean? (e.g. [2239:617321] vs [0:0]) and what's "-" policy, is it equivalent as "ACCEPT"?

Thank you.
 
Old 02-14-2007, 05:00 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
What does the range beside the policy mean? (e.g. [2239:617321] vs [0:0])
The "range" is actually a set of counters. The first number (2239) is the total number of packets that have been processed through the chain. The second number (617321) is the number of bytes in those packets.

Quote:
what's "-" policy, is it equivalent as "ACCEPT"?
It's actually not a policy. The policies are only applicable to the built-in chains (INPUT/OUTPUT/FORWARD). Because RH-Firewall-1-INPUT is a user-defined chain created using the -N option (see man page), it doesn't have a policy (which is why the "-" is there).

I believe that RH has the firewall designed so that the INPUT chain dumps all packets into RH-Firewall-1-INPUT where all the filtering rules live. Technically once the packets reach the end of the RH-Firewall-1-INPUT chain, they should be passed back to the INPUT chain, however at the end of RH-Firewall-1-INPUT there is usually a REJECT rule that blocks anything that reaches the end of the chain. So it's really the equivalent of having a default INPUT policy of REJECT.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/sysconfig/iptables syntax/parameter question zerovice Linux - Security 1 11-08-2006 12:58 PM
iptables in sysconfig?? Mibble Red Hat 6 10-16-2005 10:37 PM
iptables -P vs :OUTPUT in /etc/sysconfig/iptables TomF Linux - Security 2 04-14-2005 11:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration