| 1 |
On Monday 12 April 2010 13:31:09 Tanstaafl wrote: |
| 2 |
> On 2010-04-11 9:20 AM, Graham Murray wrote: |
| 3 |
> > Tanstaafl <tanstaafl@×××××××××××.org> writes: |
| 4 |
> >> I'm a bit clueless when it comes to firewalls, and have no idea what |
| 5 |
> >> these numbers mean/do: |
| 6 |
> >> |
| 7 |
> >> *raw |
| 8 |
> >> |
| 9 |
> >> :PREROUTING ACCEPT [4911:886011] |
| 10 |
> >> :OUTPUT ACCEPT [4546:2818732] |
| 11 |
> >> |
| 12 |
> >> COMMIT |
| 13 |
> > |
| 14 |
> > The numbers are [packets:bytes] which match the rule or table |
| 15 |
> > concerned. |
| 16 |
> |
| 17 |
> Ok, so... I still don't know what they *mean*... ie, is this a hole in |
| 18 |
> my firewall? What is the raw table used for, in plain english? |
| 19 |
|
| 20 |
I think the man page explains this in plain enough English: |
| 21 |
|
| 22 |
"raw: |
| 23 |
This table is used mainly for configuring exemptions from connection tracking |
| 24 |
in combination with the NOTRACK target. It registers at the netfilter hooks |
| 25 |
with higher priority and is thus called before ip_conntrack, or any other IP |
| 26 |
tables. It provides the following built-in chains: PREROUTING (for packets |
| 27 |
arriving via any network interface) OUTPUT (for packets generated by local |
| 28 |
processes)" |
| 29 |
|
| 30 |
So, as long as packets come and go you should see their count increase. |
| 31 |
|
| 32 |
> More importantly though... |
| 33 |
> |
| 34 |
> When I try to remove the nat and raw tables from my firewall, they don't |
| 35 |
> go away. I have always kept my rules in a separate file, and when I want |
| 36 |
> to make changes, I change the external file, then do iptables-restore < |
| 37 |
> /path/to/iptables-current. |
| 38 |
> |
| 39 |
> (My rule set is very small, so this only takes a second or two, so its |
| 40 |
> not/never been a problem) |
| 41 |
> |
| 42 |
> I've been doing it this way for a long time, and all other changes I |
| 43 |
> have ever made - eg, opening a certain port for a certain host - work |
| 44 |
> fine, but, when I comment out the raw and nat tables, then restore the |
| 45 |
> rules, then do iptables-save > path/to/iptables-current-dump, the |
| 46 |
> examined file still shows the raw and nat tables loaded... ??? |
| 47 |
|
| 48 |
You need to read the man pages, but in short if you have certain modules |
| 49 |
enabled in your kernel you will end up loading certain default tables. I |
| 50 |
don't know how you have configured your kernel or your firewall (and I am no |
| 51 |
expert to offer detailed advice) but I am guessing that although you remove a |
| 52 |
rule or two you are not removing the modules that load these tables. |
| 53 |
|
| 54 |
HTH. |
| 55 |
-- |
| 56 |
Regards, |
| 57 |
Mick |
Archives