[mdlug] iptables question
Raymond McLaughlin
driveray at ameritech.net
Thu Mar 22 10:56:22 EDT 2007
Robert Meier wrote:
> David,
>
> I haven't used iptables(8) directly for several years,
> and no longer have it installed.
> I have been using YAST firewall.
I understand the "directly" part of this statement, but not the "not
installed" part. YaST firewall (actually SuSE firewall) is an interface
for setting up iptable rules. A sample from a SuSE firewalled machine:
Raymond McLaughlin
localhost:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp redirect
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:http
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:https
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
reject_func tcp -- anywhere anywhere tcp
dpt:ident state NEW
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options
prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-proto-unreachable
More information about the mdlug
mailing list