Re: Confirming an iptables rule

To: debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: Confirming an iptables rule
From: Lucas Barbuto <lucas@qk.com.au>
Date: Mon, 19 Aug 2002 16:41:59 +1000
Message-id: <[🔎] 20020819064159.GA25626@qk.com.au>
Reply-to: Lucas Barbuto <lucas@qk.com.au>
In-reply-to: <[🔎] 20020819062308.GA21025@lowpingbastards.de>
References: <[🔎] 20020819024359.GA24997@qk.com.au> <[🔎] 20020819062308.GA21025@lowpingbastards.de>

Hi Guys,

On Mon, Aug 19, 2002 at 08:23:08AM +0200, Frederik Schueler wrote:
> I'm surprised -i accepted an IP address. 

You were both right about that, '-i' doesn't accept an IP address. 

I have tried both these methods and I'm still able to connect to a
remote host on port 27374 (using netcat).  I'm currently using this

iptables -A FORWARD -p TCP -i ${INSIDE_INTERFACE} --dport 27374 -j DROP
iptables -A FORWARD -p UDP -i ${INSIDE_INTERFACE} --dport 27374 -j DROP

Unfortunately it is still allowing these packets through.  I'm concerned
that these rules

iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP

... are overriding the dropping rules, can anyone confirm or deny this?

Regards,

Lucas

Reply to:

Follow-Ups:
- Re: Confirming an iptables rule
  - From: Lucas Barbuto <lucas@qk.com.au>
- Re: Confirming an iptables rule
  - From: racke@linuxia.de (Stefan Hornburg Racke)

References:
- Confirming an iptables rule
  - From: Lucas Barbuto <lucas@qk.com.au>
- Re: Confirming an iptables rule
  - From: Frederik Schueler <fs@lowpingbastards.de>

Prev by Date: Re: Confirming an iptables rule
Next by Date: Re: Confirming an iptables rule
Previous by thread: Re: Confirming an iptables rule
Next by thread: Re: Confirming an iptables rule
Index(es):
- Date
- Thread