| 1 |
Hi, |
| 2 |
|
| 3 |
On Tue, 28 Mar 2006 19:44:07 +0530 "Hiren Dave" <hiren2k4@×××××.com> |
| 4 |
wrote: |
| 5 |
|
| 6 |
> I did this: |
| 7 |
> [...] |
| 8 |
> #iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT |
| 9 |
> #iptables -A OUTPUT -j DROP |
| 10 |
> [...] |
| 11 |
> Still other users including root can ping other PCs. Why is this not |
| 12 |
> working? |
| 13 |
|
| 14 |
please post the output of "iptables -vnL". We're talking about users on |
| 15 |
that PC, not those using it as a gateway/router/bridge/whatever, |
| 16 |
correct? |
| 17 |
|
| 18 |
> Also I have some diffulties understanding Connection Tracking(NEW, |
| 19 |
> ESTABLISHED, RELATED, INVALID) concept. |
| 20 |
|
| 21 |
Those are protocol dependant. I really think that those are well |
| 22 |
described even in iptables man page. Basically, you'll want sth like |
| 23 |
this: |
| 24 |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 25 |
and maybe the same for FORWARD. Of course, for FORWARD, you'll want to |
| 26 |
match NEW,ESTABLISHED,RELATED for outgoing connections (well, or even |
| 27 |
don't impose any restrictions for outgoing connections). |
| 28 |
|
| 29 |
> Any practical guide available on internet for iptables??? |
| 30 |
|
| 31 |
Lots. That "practical" depends on the problem faced which you didn't |
| 32 |
describe at all. So del.icio.us would be my first hint, Google follows: |
| 33 |
|
| 34 |
http://del.icio.us/tag/netfilter |
| 35 |
http://www.google.com/search?q=netfilter |
| 36 |
|
| 37 |
(note that the concept is usually referred to as "netfilter") |
| 38 |
|
| 39 |
-hwh |
| 40 |
-- |
| 41 |
gentoo-user@g.o mailing list |
Archives