1 |
On Monday 12 April 2010 13:31:09 Tanstaafl wrote: |
2 |
> On 2010-04-11 9:20 AM, Graham Murray wrote: |
3 |
> > Tanstaafl <tanstaafl@×××××××××××.org> writes: |
4 |
> >> I'm a bit clueless when it comes to firewalls, and have no idea what |
5 |
> >> these numbers mean/do: |
6 |
> >> |
7 |
> >> *raw |
8 |
> >> |
9 |
> >> :PREROUTING ACCEPT [4911:886011] |
10 |
> >> :OUTPUT ACCEPT [4546:2818732] |
11 |
> >> |
12 |
> >> COMMIT |
13 |
> > |
14 |
> > The numbers are [packets:bytes] which match the rule or table |
15 |
> > concerned. |
16 |
> |
17 |
> Ok, so... I still don't know what they *mean*... ie, is this a hole in |
18 |
> my firewall? What is the raw table used for, in plain english? |
19 |
|
20 |
I think the man page explains this in plain enough English: |
21 |
|
22 |
"raw: |
23 |
This table is used mainly for configuring exemptions from connection tracking |
24 |
in combination with the NOTRACK target. It registers at the netfilter hooks |
25 |
with higher priority and is thus called before ip_conntrack, or any other IP |
26 |
tables. It provides the following built-in chains: PREROUTING (for packets |
27 |
arriving via any network interface) OUTPUT (for packets generated by local |
28 |
processes)" |
29 |
|
30 |
So, as long as packets come and go you should see their count increase. |
31 |
|
32 |
> More importantly though... |
33 |
> |
34 |
> When I try to remove the nat and raw tables from my firewall, they don't |
35 |
> go away. I have always kept my rules in a separate file, and when I want |
36 |
> to make changes, I change the external file, then do iptables-restore < |
37 |
> /path/to/iptables-current. |
38 |
> |
39 |
> (My rule set is very small, so this only takes a second or two, so its |
40 |
> not/never been a problem) |
41 |
> |
42 |
> I've been doing it this way for a long time, and all other changes I |
43 |
> have ever made - eg, opening a certain port for a certain host - work |
44 |
> fine, but, when I comment out the raw and nat tables, then restore the |
45 |
> rules, then do iptables-save > path/to/iptables-current-dump, the |
46 |
> examined file still shows the raw and nat tables loaded... ??? |
47 |
|
48 |
You need to read the man pages, but in short if you have certain modules |
49 |
enabled in your kernel you will end up loading certain default tables. I |
50 |
don't know how you have configured your kernel or your firewall (and I am no |
51 |
expert to offer detailed advice) but I am guessing that although you remove a |
52 |
rule or two you are not removing the modules that load these tables. |
53 |
|
54 |
HTH. |
55 |
-- |
56 |
Regards, |
57 |
Mick |