[Techtalk] More fiddling-generated problems

Nils Philippsen nils at wombat.dialup.fht-esslingen.de
Tue Jul 9 10:25:03 EST 2002 

On Tue, 2002-07-09 at 03:50, Patricia Fraser wrote:
> 
> Hi, and thanks to Nils and Raven! (I'm secretly hugging myself for even 
> almost working out what was going on...)
> 
> Nils, I added the rule you suggested, and it was already there; it just 
> causes 
> 
>  ACCEPT     all  --  anywhere             anywhere  
> 
> to appear twice.
> 
> I'm assuming the first DROP rule is my problem - is it a fall-through set of 
> rules?
> 
> And (after much searching) I don't know where the rules live; I get this by 
> doing iptables -L and sending the output to a file. If I make changes (once I 
> have an idea of what changes to make), how do I make them permanent? I've 
> read through the manpage for iptables and it's not apparent that there's a 
> set of rules anywhere that gets read?

As I said I can't help you much with Mandrake and/or Bastille, but I can
tell you how it works here (Red Hat Linux): The service iptables reads
the rules from /etc/sysconfig/iptables. You can save the current rules
to this file with 'service iptables save'.

> Here's the original set of rules (apologies for length):

Unfortunately, 'iptables -L' without '-v' as well doesn't mention
input/output devices. Could you please re-run it with '-v'?

> Chain INPUT (policy DROP)
> target     prot opt source               destination
> DROP       tcp  --  anywhere             127.0.0.0/8
> ACCEPT     all  --  anywhere             anywhere           state 
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere

I assume that this is the "accept anything over loopback rule" I
suggested. But I wonder why it isn't the first one ("iptables -I INPUT 1
...")?

> DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
> PUB_IN     all  --  anywhere             anywhere
> PUB_IN     all  --  anywhere             anywhere
> PUB_IN     all  --  anywhere             anywhere
> DROP       all  --  anywhere             anywhere

[snip for brevity]

Nils
-- 
 Nils Philippsen / Berliner Straße 39 / D-71229 Leonberg //
+49.7152.209647
nils at wombat.dialup.fht-esslingen.de / nils at redhat.de /
nils at fht-esslingen.de
        Ever noticed that common sense isn't really all that common?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://linuxchix.org/pipermail/techtalk/attachments/20020709/2b2c0103/attachment.pgp

More information about the Techtalk mailing list