* [gentoo-user] another iptables question...
@ 2006-03-28 14:14 Hiren Dave
2006-03-28 15:36 ` Hans-Werner Hilse
0 siblings, 1 reply; 3+ messages in thread
From: Hiren Dave @ 2006-03-28 14:14 UTC (permalink / raw
To: gentoo-user, VGLUG
[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]
Hi,
I have configured iptables server on server1 (192.168.0.1/24).
Now I want to allow user root on server1 to be connected to network
and all other users on server1 will not be able to ping other PCs. So
I did this:
--------------------------------------------------------
#iptables -F
#service iptables stop
#iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
#iptables -A OUTPUT -j DROP
#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere OWNER UID match root
DROP all -- anywhere anywhere
--------------------------------------------------------
Still other users including root can ping other PCs. Why is this not
working?
Also I have some diffulties understanding Connection Tracking(NEW,
ESTABLISHED, RELATED, INVALID) concept.
Can any one help me?
Any practical guide available on internet for iptables???
TnR,
Hiren
[-- Attachment #2: Type: text/html, Size: 1976 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] another iptables question...
2006-03-28 14:14 [gentoo-user] another iptables question Hiren Dave
@ 2006-03-28 15:36 ` Hans-Werner Hilse
2006-03-30 14:22 ` Hiren Dave
0 siblings, 1 reply; 3+ messages in thread
From: Hans-Werner Hilse @ 2006-03-28 15:36 UTC (permalink / raw
To: gentoo-user
Hi,
On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@gmail.com>
wrote:
> I did this:
> [...]
> #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
> #iptables -A OUTPUT -j DROP
> [...]
> Still other users including root can ping other PCs. Why is this not
> working?
please post the output of "iptables -vnL". We're talking about users on
that PC, not those using it as a gateway/router/bridge/whatever,
correct?
> Also I have some diffulties understanding Connection Tracking(NEW,
> ESTABLISHED, RELATED, INVALID) concept.
Those are protocol dependant. I really think that those are well
described even in iptables man page. Basically, you'll want sth like
this:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and maybe the same for FORWARD. Of course, for FORWARD, you'll want to
match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even
don't impose any restrictions for outgoing connections).
> Any practical guide available on internet for iptables???
Lots. That "practical" depends on the problem faced which you didn't
describe at all. So del.icio.us would be my first hint, Google follows:
http://del.icio.us/tag/netfilter
http://www.google.com/search?q=netfilter
(note that the concept is usually referred to as "netfilter")
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] another iptables question...
2006-03-28 15:36 ` Hans-Werner Hilse
@ 2006-03-30 14:22 ` Hiren Dave
0 siblings, 0 replies; 3+ messages in thread
From: Hiren Dave @ 2006-03-30 14:22 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2258 bytes --]
Hi,
> please post the output of "iptables -vnL". We're talking about users on
that PC, not those using it as a gateway/router/bridge/whatever, correct?
YES
Output of iptables -nvL is:
#iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1440 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 OWNER UID match 0
9 540 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
TnR
Hiren
On 3/28/06, Hans-Werner Hilse <hilse@web.de> wrote:
>
> Hi,
>
> On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@gmail.com>
> wrote:
>
> > I did this:
> > [...]
> > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
> > #iptables -A OUTPUT -j DROP
> > [...]
> > Still other users including root can ping other PCs. Why is this not
> > working?
>
> please post the output of "iptables -vnL". We're talking about users on
> that PC, not those using it as a gateway/router/bridge/whatever,
> correct?
>
> > Also I have some diffulties understanding Connection Tracking(NEW,
> > ESTABLISHED, RELATED, INVALID) concept.
>
> Those are protocol dependant. I really think that those are well
> described even in iptables man page. Basically, you'll want sth like
> this:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> and maybe the same for FORWARD. Of course, for FORWARD, you'll want to
> match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even
> don't impose any restrictions for outgoing connections).
>
> > Any practical guide available on internet for iptables???
>
> Lots. That "practical" depends on the problem faced which you didn't
> describe at all. So del.icio.us would be my first hint, Google follows:
>
> http://del.icio.us/tag/netfilter
> http://www.google.com/search?q=netfilter
>
> (note that the concept is usually referred to as "netfilter")
>
> -hwh
> --
> gentoo-user@gentoo.org mailing list
>
>
[-- Attachment #2: Type: text/html, Size: 4113 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-03-30 14:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-28 14:14 [gentoo-user] another iptables question Hiren Dave
2006-03-28 15:36 ` Hans-Werner Hilse
2006-03-30 14:22 ` Hiren Dave
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox