[Techtalk] iptables query - fairly ungent!
David Sumbler
david at aeolia.co.uk
Tue Sep 28 01:50:47 EST 2004
On Tue, 28 Sep 2004, Hugo Chasqueira wrote:
> The command 'iptables -L' isn't showing you everything.
>
> You should use the '-v' parameter (verbose), so that iptables shows you the
> interface to which the rules apply.
>
> Try:
>
> iptables -L -v
Phew!
Thanks for that.
iptables -L -v gives me:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
51478 4094K RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 51654 packets, 3128K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any clock3.redhat.com anywhere udp spt:ntp dpt:ntp
55 4180 ACCEPT udp -- any any clock1.redhat.com anywhere udp spt:ntp dpt:ntp
0 0 ACCEPT udp -- any any clock2.redhat.com anywhere udp spt:ntp dpt:ntp
0 0 ACCEPT udp -- any any clock1.redhat.com anywhere udp spt:ntp dpt:ntp
49239 2853K ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
2184 1236K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:5901
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:5801
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
which looks OK to me up to about RH-Firewall-1-INPUT line 8. But can
you tell me what "RELATED", "ESTABLISHED" and "NEW" signify?
(Further down, ports 5901 and 5801 are for VNC, which I do use
sometimes.)
Anyway, it seems that 'iptables -L', on its own, is a bit useless!
By the way, am I interpreting this correctly in thinking that an
external 'ping' will produce a useful response?
David
--
More information about the Techtalk
mailing list