1 |
Hi, |
2 |
|
3 |
On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@×××××.com> |
4 |
wrote: |
5 |
|
6 |
> I did this: |
7 |
> [...] |
8 |
> #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT |
9 |
> #iptables -A OUTPUT -j DROP |
10 |
> [...] |
11 |
> Still other users including root can ping other PCs. Why is this not |
12 |
> working? |
13 |
|
14 |
please post the output of "iptables -vnL". We're talking about users on |
15 |
that PC, not those using it as a gateway/router/bridge/whatever, |
16 |
correct? |
17 |
|
18 |
> Also I have some diffulties understanding Connection Tracking(NEW, |
19 |
> ESTABLISHED, RELATED, INVALID) concept. |
20 |
|
21 |
Those are protocol dependant. I really think that those are well |
22 |
described even in iptables man page. Basically, you'll want sth like |
23 |
this: |
24 |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
25 |
and maybe the same for FORWARD. Of course, for FORWARD, you'll want to |
26 |
match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even |
27 |
don't impose any restrictions for outgoing connections). |
28 |
|
29 |
> Any practical guide available on internet for iptables??? |
30 |
|
31 |
Lots. That "practical" depends on the problem faced which you didn't |
32 |
describe at all. So del.icio.us would be my first hint, Google follows: |
33 |
|
34 |
http://del.icio.us/tag/netfilter |
35 |
http://www.google.com/search?q=netfilter |
36 |
|
37 |
(note that the concept is usually referred to as "netfilter") |
38 |
|
39 |
-hwh |
40 |
-- |
41 |
gentoo-user@g.o mailing list |