Bret Comstock Waldow wrote:
I feel I didn't make this clear enough then and I'm glad I understand you better now. If you use init.d/iptables, the rules are kept in memory while the system's running (ofcourse) and in the /var/lib/iptables/active file which is written by iptables-save when you run '/etc/init.d/iptables save active'.On Wed, 2003-08-27 at 23:13, Jacob Anawalt wrote:#192.168.1.1 doesn't get any traffic from us iptables -A OUTPUT -d 192.168.1.1 -j DROP That's the 'plumbing' level access to iptables which works for all Linux kernels supporting iptables, irreguardless of distribution. In other words, your rules failing on Debian should fail on RH or Mandrake.I think I've gotten a lot of the concept now, but this isn't what I meant. Initially I was coming from an understanding of "fstab is a static file of rules the system reads to set up mounts, .gtkrc is a static file of rules the system reads to set up GUI"... Later, there is the issue of when is the system in a configuration where it needs firewall rules? The Debian manual says runlevels 2-5 are user runlevels - these are enshrined in the update-rc.d defaults. K(ill) links are created by default in runlevels 0, 1, 6. Ok. But my network is up in runlevel 1. (From "telinit 1". I haven't tried it from the boot prompt.) And then there's the question of coordination with who-knows-what other systems that are or aren't starting, stopping, etc. I meant a picture of where the rules are kept, how they're initialized, and what the implications are. I can find many sites with info about how to write rules that do X. I couldn't find a site that told me what file to put them in. Now I know there isn't one, and some other things about it all...
When the system reboots or changes runlevels, if you had run 'update-rc.d iptables defaults' and the /var/lib/iptables/active file exists, then those rules will be applied at runlevels 2-5.
I've never tried to access networking from runlevel 1. I know from RH networking didn't start till runlevel 2, networking services (apache) didnt' start until runlevel 3, and X on runlevel 5. On Debian, I don't know, but I'll be interested if networking really is up at runlevel 1. I had always thought this was single-user, no networking but that may just be a RH idea. If networking is up at runlevel 1, just run update-rc.d for iptables runlevel 1-5.
Wow, those were some rules. It will take a bit for me to get my head around them. Are you looking at a book on ipchains at the same time by chance? You have so many similar rules in the input, forward and output chains, that it reminds me of my old ipchains rules.A better post might be: What am I doing wrong with iptables rulesHere are my rules. They block all access to the internet, but I cant see why.#iptables -L <output from command> #iptables -t <other table(s)> -L <output from command(s)>I've appended my current rules. Email fetches from my pop3 account ok, but the browser doesn't connect.
I need to know some stuff though. Email from Linux account or VMWare client works? Try both and let us know.Browser from Linux account or in VMWare Win98 works? Try both and let us know.
Also: Does ping to www.debian.org work from either/both? Does ftp to ftp.us.debian.org work from either/both? Does imap3 to some imap account (if you have one) work from either/both? Does https to some secure server work from either/both? Jacob