|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Thanks you Re: IPChains newbie and DNS queries
From: Jim Roland (jroland
ROLAND.NET)Date: Tue Oct 17 2000 - 12:12:54 CDT
- Next message: Joseph Nicholas Yarbrough: "Re: DOS attack on my webserver!!!"
- Previous message: Stephen Kreusch: "Re: DOS attack on my webserver!!!"
- In reply to: Alvaro Garriga: "Thanks you Re: IPChains newbie and DNS queries"
- Reply: Jim Roland: "Re: Thanks you Re: IPChains newbie and DNS queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It would be worthy to note that the HowTo linked below has a great (but ugly
<grin>) diagram of the kernel chain.
Input chain is for packets directed at the router itself (not being
forwarded between interfaces)
Output chain is for packets leaving from the router itself (not bring
forwarded between interfaces)
Forwarding chain (which is "peeled off" away from the Input/Output chains)
is for packets passing through the box to another interface (for an IP that
is not attached to the router's interface).
----- Original Message -----
From: "Alvaro Garriga" <alvaro.garrigaTRANSCORE.COM>
To: <FOCUS-LINUXSECURITYFOCUS.COM>
Sent: Monday, October 16, 2000 5:29 PM
Subject: Thanks you Re: IPChains newbie and DNS queries
> You are right John.
>
> Adding the rule at the end makes a big difference. It works fine now.
>
> Thanks guys.
>
> John Sage wrote:
>
> > Tommy Lacroix wrote:
> > >
> > > > Hi,
> > > > I am new to ipchains too. But in my opinion all
> > > > incomming packets will FIRST go through the input
> > > > chain. So if you say
> >
> > I think some confusion has been injected here, because although the
> > *default POLICY* may be to DENY, as soon as one starts adding specific
> > chains or rules, the default policy is tested *last* not first.
> >
> > So, if one is to say only:
> >
> > /sbin/ipchains -P input DENY
> >
> > then all packets are tested against this default policy and dropped.
> >
> > If one adds:
> >
> > /sbin/ipchains -P input DENY
> > /sbin/ipchains -A input -i ppp0 -j ACCEPT
> >
> > then packets coming in to the input chain on interface ppp0 are tested
> > and ACCEPT'ed, but packets that came in on another interface (eth0, for
> > example..) would be tested against the one input chain, fail, and pass
> > on to the default policy and be DENY'ed.
> >
> > See exactly the same source:
> >
> > http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html
> >
> > "...If the rule doesn't match the packet, then the next rule in the
> > chain is consulted. Finally, if there are no more rules to consult, then
> > the
> > kernel looks at the chain policy to decide what to do..."
> >
> > - John
> >
> > --
> > John Sage
> > FinchHaven, Vashon Island, WA, USA
> > http://www.finchhaven.com/
> > mailto:jsagefinchhaven.com
> > And remember: it's spelled l-i-n-u-x but it's pronounced "Linux"
>
- Next message: Joseph Nicholas Yarbrough: "Re: DOS attack on my webserver!!!"
- Previous message: Stephen Kreusch: "Re: DOS attack on my webserver!!!"
- In reply to: Alvaro Garriga: "Thanks you Re: IPChains newbie and DNS queries"
- Reply: Jim Roland: "Re: Thanks you Re: IPChains newbie and DNS queries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]