* [gentoo-user] another iptables question... @ 2006-03-28 14:14 Hiren Dave 2006-03-28 15:36 ` Hans-Werner Hilse 0 siblings, 1 reply; 3+ messages in thread From: Hiren Dave @ 2006-03-28 14:14 UTC (permalink / raw To: gentoo-user, VGLUG [-- Attachment #1: Type: text/plain, Size: 1150 bytes --] Hi, I have configured iptables server on server1 (192.168.0.1/24). Now I want to allow user root on server1 to be connected to network and all other users on server1 will not be able to ping other PCs. So I did this: -------------------------------------------------------- #iptables -F #service iptables stop #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT #iptables -A OUTPUT -j DROP #iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere OWNER UID match root DROP all -- anywhere anywhere -------------------------------------------------------- Still other users including root can ping other PCs. Why is this not working? Also I have some diffulties understanding Connection Tracking(NEW, ESTABLISHED, RELATED, INVALID) concept. Can any one help me? Any practical guide available on internet for iptables??? TnR, Hiren [-- Attachment #2: Type: text/html, Size: 1976 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] another iptables question... 2006-03-28 14:14 [gentoo-user] another iptables question Hiren Dave @ 2006-03-28 15:36 ` Hans-Werner Hilse 2006-03-30 14:22 ` Hiren Dave 0 siblings, 1 reply; 3+ messages in thread From: Hans-Werner Hilse @ 2006-03-28 15:36 UTC (permalink / raw To: gentoo-user Hi, On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@gmail.com> wrote: > I did this: > [...] > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT > #iptables -A OUTPUT -j DROP > [...] > Still other users including root can ping other PCs. Why is this not > working? please post the output of "iptables -vnL". We're talking about users on that PC, not those using it as a gateway/router/bridge/whatever, correct? > Also I have some diffulties understanding Connection Tracking(NEW, > ESTABLISHED, RELATED, INVALID) concept. Those are protocol dependant. I really think that those are well described even in iptables man page. Basically, you'll want sth like this: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT and maybe the same for FORWARD. Of course, for FORWARD, you'll want to match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even don't impose any restrictions for outgoing connections). > Any practical guide available on internet for iptables??? Lots. That "practical" depends on the problem faced which you didn't describe at all. So del.icio.us would be my first hint, Google follows: http://del.icio.us/tag/netfilter http://www.google.com/search?q=netfilter (note that the concept is usually referred to as "netfilter") -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] another iptables question... 2006-03-28 15:36 ` Hans-Werner Hilse @ 2006-03-30 14:22 ` Hiren Dave 0 siblings, 0 replies; 3+ messages in thread From: Hiren Dave @ 2006-03-30 14:22 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 2258 bytes --] Hi, > please post the output of "iptables -vnL". We're talking about users on that PC, not those using it as a gateway/router/bridge/whatever, correct? YES Output of iptables -nvL is: #iptables -nvL Chain INPUT (policy ACCEPT 24 packets, 1440 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 OWNER UID match 0 9 540 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 TnR Hiren On 3/28/06, Hans-Werner Hilse <hilse@web.de> wrote: > > Hi, > > On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@gmail.com> > wrote: > > > I did this: > > [...] > > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT > > #iptables -A OUTPUT -j DROP > > [...] > > Still other users including root can ping other PCs. Why is this not > > working? > > please post the output of "iptables -vnL". We're talking about users on > that PC, not those using it as a gateway/router/bridge/whatever, > correct? > > > Also I have some diffulties understanding Connection Tracking(NEW, > > ESTABLISHED, RELATED, INVALID) concept. > > Those are protocol dependant. I really think that those are well > described even in iptables man page. Basically, you'll want sth like > this: > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > and maybe the same for FORWARD. Of course, for FORWARD, you'll want to > match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even > don't impose any restrictions for outgoing connections). > > > Any practical guide available on internet for iptables??? > > Lots. That "practical" depends on the problem faced which you didn't > describe at all. So del.icio.us would be my first hint, Google follows: > > http://del.icio.us/tag/netfilter > http://www.google.com/search?q=netfilter > > (note that the concept is usually referred to as "netfilter") > > -hwh > -- > gentoo-user@gentoo.org mailing list > > [-- Attachment #2: Type: text/html, Size: 4113 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-03-30 14:27 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-03-28 14:14 [gentoo-user] another iptables question Hiren Dave 2006-03-28 15:36 ` Hans-Werner Hilse 2006-03-30 14:22 ` Hiren Dave
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox