Re: Could someone please explain this output?
On 16 Aug 2001 17:12:14 -0500, Jor-el wrote:
> Hi,
>
> Here is the output from 'ipchains -L input -v' :
>
> Chain input (policy DENY: 0 packets, 0 bytes):
> pkts bytes target prot opt tosa tosx ifname mark
> outsize source destination ports
> 380 34580 ACCEPT all ------ 0xFF 0x00 lo
> anywhere anywhere n/a
Anything on local interface - accept
> 0 0 DENY all ----l- 0xFF 0x00 !lo
> 127.0.0.0/8 anywhere
Anything coming pretending to be from localhost not on l0 is spoofed
from a network interface. Log it (the l flag).
n/a
> 10502 1034K ACCEPT all ------ 0xFF 0x00 eth1
> localnet/24 anywhere n/a
Anything that is from the localnet going anywhere on the internal card
is ok.
> 0 0 DENY all ----l- 0xFF 0x00 eth0
> localnet/24 anywhere n/a
Anything pretending to come from the internal net but comes in from the
external interface is spoofed. Log it.
> 15049 9223K ACCEPT all ------ 0xFF 0x00 eth0
> anywhere cs9349-21.austin.rr.com n/a
Anything from the world going to the external ip of this computer from
the external interface is ok.
> 0 0 ACCEPT all ------ 0xFF 0x00 eth0
> anywhere 255.255.255.255 n/a
Anyone broadcasting over the external net is ok. Not sure what this is
doing here. I wouldn't do this personally.
> 0 0 DENY all ----l- 0xFF 0x00 any
> anywhere anywhere n/a
Anything we didn't match above we should drop and log it.
>
> This confirms Vineet's diagnosis. I cant help notice that the 'l'
> flag is set in the 'opt' field every time the target is DENY. Is this a
> coincidence? Where is the meaning of this output documented? I couldnt
> find it anywhere.
>
> Also, I am not sure of the purpose of these rules - especially the
> ones with DENY. Why are they blocking what they are blocking?
>
> Thanks,
> Jor-el
>
> On Thu, 16 Aug 2001, Vineet Kumar wrote:
>
> >
> > >
> > > How do I interpret this output? For example, the lines handling
> > > the source = localnet/24 - will they let a packet from outside pass in or
> > > be rejected? Why are there two lines? This configuration is the result of
> > > me doing a 'apt-get install ipmasq' - so there really hasnt been any
> > > customization by me.
> > >
> >
> > You'll get more meaningful output with
> >
> > ipchains -L -v
> >
> > What I suspect is going on is that the rules say something like
> > localhost/8 -i ! lo -j DENY and localnet/24 -i eth0 -j ACCEPT and
> > localnet/24 -i ! et0 -j DENY. The -v flag will show you the interfaces
> > specified in the rules as well, so you can understand what's going on.
> >
> > Cheers,
See above for hopefully !useless commentary.
--mike
Reply to: