public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] another iptables question...
@ 2006-03-28 14:14 Hiren Dave
  2006-03-28 15:36 ` Hans-Werner Hilse
  0 siblings, 1 reply; 3+ messages in thread
From: Hiren Dave @ 2006-03-28 14:14 UTC (permalink / raw
  To: gentoo-user, VGLUG

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

Hi,

I have configured iptables server on server1 (192.168.0.1/24).
Now I want to allow user root on server1 to be connected to network
and all other users on server1 will not be able to ping other PCs. So
I did this:
--------------------------------------------------------
#iptables -F
#service iptables stop
#iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
#iptables -A OUTPUT -j DROP
#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere      OWNER UID match root
DROP       all  --  anywhere             anywhere
--------------------------------------------------------

Still other users including root can ping other PCs. Why is this not
working?

Also I have some diffulties understanding Connection Tracking(NEW,
ESTABLISHED, RELATED, INVALID) concept.
Can any one help me?

Any practical guide available on internet for iptables???

TnR,
Hiren

[-- Attachment #2: Type: text/html, Size: 1976 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-user] another iptables question...
  2006-03-28 14:14 [gentoo-user] another iptables question Hiren Dave
@ 2006-03-28 15:36 ` Hans-Werner Hilse
  2006-03-30 14:22   ` Hiren Dave
  0 siblings, 1 reply; 3+ messages in thread
From: Hans-Werner Hilse @ 2006-03-28 15:36 UTC (permalink / raw
  To: gentoo-user

Hi,

On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@gmail.com>
wrote:

> I did this:
> [...]
> #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
> #iptables -A OUTPUT -j DROP
> [...]
> Still other users including root can ping other PCs. Why is this not
> working?

please post the output of "iptables -vnL". We're talking about users on
that PC, not those using it as a gateway/router/bridge/whatever,
correct?

> Also I have some diffulties understanding Connection Tracking(NEW,
> ESTABLISHED, RELATED, INVALID) concept.

Those are protocol dependant. I really think that those are well
described even in iptables man page. Basically, you'll want sth like
this:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and maybe the same for FORWARD. Of course, for FORWARD, you'll want to
match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even
don't impose any restrictions for outgoing connections).

> Any practical guide available on internet for iptables???

Lots. That "practical" depends on the problem faced which you didn't
describe at all. So del.icio.us would be my first hint, Google follows:

http://del.icio.us/tag/netfilter
http://www.google.com/search?q=netfilter

(note that the concept is usually referred to as "netfilter")

-hwh
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-user] another iptables question...
  2006-03-28 15:36 ` Hans-Werner Hilse
@ 2006-03-30 14:22   ` Hiren Dave
  0 siblings, 0 replies; 3+ messages in thread
From: Hiren Dave @ 2006-03-30 14:22 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2258 bytes --]

Hi,

> please post the output of "iptables -vnL". We're talking about users on
that PC, not those using it as a gateway/router/bridge/whatever, correct?

YES

Output of iptables -nvL is:

#iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1440 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           OWNER UID match 0
    9   540 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0
TnR
Hiren

On 3/28/06, Hans-Werner Hilse <hilse@web.de> wrote:
>
> Hi,
>
> On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@gmail.com>
> wrote:
>
> > I did this:
> > [...]
> > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
> > #iptables -A OUTPUT -j DROP
> > [...]
> > Still other users including root can ping other PCs. Why is this not
> > working?
>
> please post the output of "iptables -vnL". We're talking about users on
> that PC, not those using it as a gateway/router/bridge/whatever,
> correct?
>
> > Also I have some diffulties understanding Connection Tracking(NEW,
> > ESTABLISHED, RELATED, INVALID) concept.
>
> Those are protocol dependant. I really think that those are well
> described even in iptables man page. Basically, you'll want sth like
> this:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> and maybe the same for FORWARD. Of course, for FORWARD, you'll want to
> match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even
> don't impose any restrictions for outgoing connections).
>
> > Any practical guide available on internet for iptables???
>
> Lots. That "practical" depends on the problem faced which you didn't
> describe at all. So del.icio.us would be my first hint, Google follows:
>
> http://del.icio.us/tag/netfilter
> http://www.google.com/search?q=netfilter
>
> (note that the concept is usually referred to as "netfilter")
>
> -hwh
> --
> gentoo-user@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 4113 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-03-30 14:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-28 14:14 [gentoo-user] another iptables question Hiren Dave
2006-03-28 15:36 ` Hans-Werner Hilse
2006-03-30 14:22   ` Hiren Dave

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox