Hi,
> please post the output of "iptables -vnL". We're talking about users on that PC, not those using it as a gateway/router/bridge/whatever, correct?
YES
Output of iptables -nvL is:
#iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1440 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 OWNER UID match 0
9 540 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Hi,
On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" < hiren2k4@gmail.com>
wrote:
> I did this:
> [...]
> #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
> #iptables -A OUTPUT -j DROP
> [...]
> Still other users including root can ping other PCs. Why is this not
> working?
please post the output of "iptables -vnL". We're talking about users on
that PC, not those using it as a gateway/router/bridge/whatever,
correct?
> Also I have some diffulties understanding Connection Tracking(NEW,
> ESTABLISHED, RELATED, INVALID) concept.
Those are protocol dependant. I really think that those are well
described even in iptables man page. Basically, you'll want sth like
this:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and maybe the same for FORWARD. Of course, for FORWARD, you'll want to
match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even
don't impose any restrictions for outgoing connections).
> Any practical guide available on internet for iptables???
Lots. That "practical" depends on the problem faced which you didn't
describe at all. So del.icio.us would be my first hint, Google follows:
http://del.icio.us/tag/netfilter
http://www.google.com/search?q=netfilter
(note that the concept is usually referred to as "netfilter")
-hwh
--
gentoo-user@gentoo.org mailing list