| 1 |
Hi, |
| 2 |
|
| 3 |
> please post the output of "iptables -vnL". We're talking about users on |
| 4 |
that PC, not those using it as a gateway/router/bridge/whatever, correct? |
| 5 |
|
| 6 |
YES |
| 7 |
|
| 8 |
Output of iptables -nvL is: |
| 9 |
|
| 10 |
#iptables -nvL |
| 11 |
Chain INPUT (policy ACCEPT 24 packets, 1440 bytes) |
| 12 |
pkts bytes target prot opt in out source |
| 13 |
destination |
| 14 |
|
| 15 |
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) |
| 16 |
pkts bytes target prot opt in out source |
| 17 |
destination |
| 18 |
|
| 19 |
Chain OUTPUT (policy ACCEPT 15 packets, 900 bytes) |
| 20 |
pkts bytes target prot opt in out source |
| 21 |
destination |
| 22 |
0 0 ACCEPT all -- * * 0.0.0.0/0 |
| 23 |
0.0.0.0/0 OWNER UID match 0 |
| 24 |
9 540 DROP all -- * * 0.0.0.0/0 |
| 25 |
0.0.0.0/0 |
| 26 |
TnR |
| 27 |
Hiren |
| 28 |
|
| 29 |
On 3/28/06, Hans-Werner Hilse <hilse@×××.de> wrote: |
| 30 |
> |
| 31 |
> Hi, |
| 32 |
> |
| 33 |
> On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@×××××.com> |
| 34 |
> wrote: |
| 35 |
> |
| 36 |
> > I did this: |
| 37 |
> > [...] |
| 38 |
> > #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT |
| 39 |
> > #iptables -A OUTPUT -j DROP |
| 40 |
> > [...] |
| 41 |
> > Still other users including root can ping other PCs. Why is this not |
| 42 |
> > working? |
| 43 |
> |
| 44 |
> please post the output of "iptables -vnL". We're talking about users on |
| 45 |
> that PC, not those using it as a gateway/router/bridge/whatever, |
| 46 |
> correct? |
| 47 |
> |
| 48 |
> > Also I have some diffulties understanding Connection Tracking(NEW, |
| 49 |
> > ESTABLISHED, RELATED, INVALID) concept. |
| 50 |
> |
| 51 |
> Those are protocol dependant. I really think that those are well |
| 52 |
> described even in iptables man page. Basically, you'll want sth like |
| 53 |
> this: |
| 54 |
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 55 |
> and maybe the same for FORWARD. Of course, for FORWARD, you'll want to |
| 56 |
> match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even |
| 57 |
> don't impose any restrictions for outgoing connections). |
| 58 |
> |
| 59 |
> > Any practical guide available on internet for iptables??? |
| 60 |
> |
| 61 |
> Lots. That "practical" depends on the problem faced which you didn't |
| 62 |
> describe at all. So del.icio.us would be my first hint, Google follows: |
| 63 |
> |
| 64 |
> http://del.icio.us/tag/netfilter |
| 65 |
> http://www.google.com/search?q=netfilter |
| 66 |
> |
| 67 |
> (note that the concept is usually referred to as "netfilter") |
| 68 |
> |
| 69 |
> -hwh |
| 70 |
> -- |
| 71 |
> gentoo-user@g.o mailing list |
| 72 |
> |
| 73 |
> |
Archives