[Techtalk] More fiddling-generated problems

Patricia Fraser trish at thefrasers.org
Tue Jul 9 21:21:46 EST 2002 

Thanks for more help, Nils!

> As I said I can't help you much with Mandrake and/or Bastille, but I can
> tell you how it works here (Red Hat Linux): The service iptables reads
> the rules from /etc/sysconfig/iptables. You can save the current rules
> to this file with 'service iptables save'.

I don't have an /etc/sysconfig/iptables; there's a script iptables in 
etc/init.d called iptables that seems to call it, but it ain't there; so 
bastille must do something else. (I'll go back to squirrelling through the 
bastille scripts - they're all over the place...)

> Unfortunately, 'iptables -L' without '-v' as well doesn't mention
> input/output devices. Could you please re-run it with '-v'?

Here's what I get (after a bastille-firewall start) with -L -v (first part 
only):

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              destination
    0     0 DROP       tcp  --  !lo    any     anywhere            127.0.0.0/8
    2   388 ACCEPT     all  --  any    any     anywhere             anywhere  
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  
anywhere
    0     0 PUB_IN     all  --  eth+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

When I put your rule in again, I got (using -L -v)

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 DROP       tcp  --  !lo    any     anywhere             
127.0.0.0/8
   43  5403 ACCEPT     all  --  any    any     anywhere             anywhere  
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  
anywhere
    0     0 PUB_IN     all  --  eth+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

now... let's see if it works (ie either is the rule active or is it doing any 
good)? nope; problem remains... but if I restart bastille, the rule will fall 
out, ne? grrr...

Do I maybe need to get rid of rule 2 (I can do that with iptables -D, can't 
I?) and see what then? 

8-)
-----
Trish Fraser, Sunbury, Australia
trish at thefrasers.org
www.computerbank.org.au
-----

More information about the Techtalk mailing list