1 |
Hi, |
2 |
|
3 |
> please post the output of "iptables -vnL". We're talking about users on |
4 |
that PC, not those using it as a gateway/router/bridge/whatever, correct? |
5 |
|
6 |
YES |
7 |
|
8 |
Output of iptables -nvL is: |
9 |
|
10 |
#iptables -nvL |
11 |
Chain INPUT (policy ACCEPT 24 packets, 1440 bytes) |
12 |
pkts bytes target prot opt in out source |
13 |
destination |
14 |
|
15 |
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) |
16 |
pkts bytes target prot opt in out source |
17 |
destination |
18 |
|
19 |
Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes) |
20 |
pkts bytes target prot opt in out source |
21 |
destination |
22 |
0 0 ACCEPT all -- * * 0.0.0.0/0 |
23 |
0.0.0.0/0 OWNER UID match 0 |
24 |
9 540 DROP all -- * * 0.0.0.0/0 |
25 |
0.0.0.0/0 |
26 |
TnR |
27 |
Hiren |
28 |
|
29 |
On 3/28/06, Hans-Werner Hilse <hilse@×××.de> wrote: |
30 |
> |
31 |
> Hi, |
32 |
> |
33 |
> On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@×××××.com> |
34 |
> wrote: |
35 |
> |
36 |
> > I did this: |
37 |
> > [...] |
38 |
> > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT |
39 |
> > #iptables -A OUTPUT -j DROP |
40 |
> > [...] |
41 |
> > Still other users including root can ping other PCs. Why is this not |
42 |
> > working? |
43 |
> |
44 |
> please post the output of "iptables -vnL". We're talking about users on |
45 |
> that PC, not those using it as a gateway/router/bridge/whatever, |
46 |
> correct? |
47 |
> |
48 |
> > Also I have some diffulties understanding Connection Tracking(NEW, |
49 |
> > ESTABLISHED, RELATED, INVALID) concept. |
50 |
> |
51 |
> Those are protocol dependant. I really think that those are well |
52 |
> described even in iptables man page. Basically, you'll want sth like |
53 |
> this: |
54 |
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
55 |
> and maybe the same for FORWARD. Of course, for FORWARD, you'll want to |
56 |
> match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even |
57 |
> don't impose any restrictions for outgoing connections). |
58 |
> |
59 |
> > Any practical guide available on internet for iptables??? |
60 |
> |
61 |
> Lots. That "practical" depends on the problem faced which you didn't |
62 |
> describe at all. So del.icio.us would be my first hint, Google follows: |
63 |
> |
64 |
> http://del.icio.us/tag/netfilter |
65 |
> http://www.google.com/search?q=netfilter |
66 |
> |
67 |
> (note that the concept is usually referred to as "netfilter") |
68 |
> |
69 |
> -hwh |
70 |
> -- |
71 |
> gentoo-user@g.o mailing list |
72 |
> |
73 |
> |