From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FOy7n-0000af-8E for garchives@archives.gentoo.org; Thu, 30 Mar 2006 14:27:47 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.5) with SMTP id k2UER4xP017487; Thu, 30 Mar 2006 14:27:04 GMT Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.236]) by robin.gentoo.org (8.13.6/8.13.5) with ESMTP id k2UEMlLp013863 for ; Thu, 30 Mar 2006 14:22:48 GMT Received: by wproxy.gmail.com with SMTP id i28so419572wra for ; Thu, 30 Mar 2006 06:22:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=KBK2Rzjotq7tKvMoH5TTxKu8k6FMVJDDYji5VskFWYOwTXk2R9ven5BJbzm/Wkkjnz4y1cBSkmT7DnKGKRf8zStMe6sviAYpXc1tH6o97BJJDq4DyFMm9hg5kPSnmTX6HzTGi/0gYkRoDIpsx9XIpezxn+sV3vq3sNx5lvBRDUM= Received: by 10.65.160.6 with SMTP id m6mr748406qbo; Thu, 30 Mar 2006 06:22:46 -0800 (PST) Received: by 10.65.151.7 with HTTP; Thu, 30 Mar 2006 06:22:46 -0800 (PST) Message-ID: Date: Thu, 30 Mar 2006 19:52:46 +0530 From: "Hiren Dave" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] another iptables question... In-Reply-To: <20060328173624.107e15c2.hilse@web.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_5519_11116187.1143728566692" References: <20060328173624.107e15c2.hilse@web.de> X-Archives-Salt: 9b47fea3-201d-4181-a459-f52ebae9e383 X-Archives-Hash: 460e6f834ae79dde464ce08d3e8c50c2 ------=_Part_5519_11116187.1143728566692 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, > please post the output of "iptables -vnL". We're talking about users on that PC, not those using it as a gateway/router/bridge/whatever, correct? YES Output of iptables -nvL is: #iptables -nvL Chain INPUT (policy ACCEPT 24 packets, 1440 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 OWNER UID match 0 9 540 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 TnR Hiren On 3/28/06, Hans-Werner Hilse wrote: > > Hi, > > On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" > wrote: > > > I did this: > > [...] > > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT > > #iptables -A OUTPUT -j DROP > > [...] > > Still other users including root can ping other PCs. Why is this not > > working? > > please post the output of "iptables -vnL". We're talking about users on > that PC, not those using it as a gateway/router/bridge/whatever, > correct? > > > Also I have some diffulties understanding Connection Tracking(NEW, > > ESTABLISHED, RELATED, INVALID) concept. > > Those are protocol dependant. I really think that those are well > described even in iptables man page. Basically, you'll want sth like > this: > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > and maybe the same for FORWARD. Of course, for FORWARD, you'll want to > match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even > don't impose any restrictions for outgoing connections). > > > Any practical guide available on internet for iptables??? > > Lots. That "practical" depends on the problem faced which you didn't > describe at all. So del.icio.us would be my first hint, Google follows: > > http://del.icio.us/tag/netfilter > http://www.google.com/search?q=3Dnetfilter > > (note that the concept is usually referred to as "netfilter") > > -hwh > -- > gentoo-user@gentoo.org mailing list > > ------=_Part_5519_11116187.1143728566692 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

Hi,

> please post the output of "iptables -vnL". We're talking = about users on that PC, not those using it as a gateway/router/bridge/whate= ver, correct?

YES

Output of iptables -nvL is:

#iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1440 bytes)
=  pkts bytes target     prot opt in  &nbs= p;  out     source     &n= bsp;         destination  = ;      

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes tar= get     prot opt in     out &n= bsp;   source        &nbs= p;      destination     &= nbsp;  

Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes)
 pkts bytes t= arget     prot opt in     out =     source        &n= bsp;      destination     = ;   
    0     0 ACCE= PT     all  --  *    &nbs= p; *       0.0.0.0/0          &n= bsp; 0.0.0.0/0    &nbs= p;      OWNER UID match 0
    9=    540 DROP       all  -- = ; *      *       0.0.0.0/0      =       0.0.0.0/0           <= /p>

TnR
Hiren
 
On 3/28/06, = Hans-Werner Hilse <hilse@web.de&= gt; wrote:
Hi,

On Tue, 28 Mar 2006 1= 9:44:07 +0530 "Hiren Dave" < hiren2k4@gmail.com>
wrote:

> I did this:
> [...]<= br>> #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
> #iptab= les -A OUTPUT -j DROP
> [...]
> Still other users including roo= t can ping other PCs. Why is this not
> working?

please post the output of "iptables -vnL"= ;. We're talking about users on
that PC, not those using it as a gateway= /router/bridge/whatever,
correct?

> Also I have some diffultie= s understanding Connection Tracking(NEW,
> ESTABLISHED, RELATED, INVALID) concept.

Those are protocol = dependant. I really think that those are well
described even in iptables= man page. Basically, you'll want sth like
this:
iptables -A INPUT -m= state --state ESTABLISHED,RELATED -j ACCEPT
and maybe the same for FORWARD. Of course, for FORWARD, you'll want to<= br>match NEW,ESTABLISHED,RELATED for outgoing connections (well, or evendon't impose any restrictions for outgoing connections).

> Any p= ractical guide available on internet for iptables???

Lots. That "practical" depends on the problem faced which= you didn't
describe at all. So del.icio.= us would be my first hint, Google follows:

http://del.icio.us/tag/netfilter
http://www.google.com/search?q=3Dnetfilter

(= note that the concept is usually referred to as "netfilter")
<= br> -hwh
--
gentoo-user@gentoo.= org mailing list


------=_Part_5519_11116187.1143728566692-- -- gentoo-user@gentoo.org mailing list