Hi Edward, That looks OK to me because the "interface" is not the same as the source and destination. This might be a bit wrong in the detail, but I think of it as follows. Interface is the physical or logical, er... interface, on your machine through which the message arrived or is being sent/routed etc. Source and destination are IP addresses taken from the header.
As an example of the distinction. I allow ssh from the outside world into my machine. However, I know I only have a certain set of places that I might connect from. So I allow new connections input to interface ppp0, on destination port 22, but only from specific known source addresses. On the other hand, a public web or mail server would basically have to receive from all addresses. If you are allowing masquerading of web browsing, for example, then you will need to allow all source addresses back in, unless you want to be severely limited as to where your machines can browse. But those restrictions would be better done before allowing the masqueraded packets out, thus anything you've allowed out is already permitted. As an example of this, you might allow forward packets on interface eth0 but only from source address 192.168.x.2, which is your machine, but not from 192.168.x.3 Cameron. > -----Original Message----- > From: Edward Dekkers [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 20 November 2002 11:49 > To: [EMAIL PROTECTED] > Subject: iptables -nL question > > > I've always had the following rules (default flushing, policy > and stuff > omitted): > > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > ESTABLISHED, RELATED -j > ACCEPT > iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > > Basically, I got this from a bit of reading, some examples > found on the > internet, and understood it as let everything out, but only > related and > established connections back in. This has always worked but I > never checked > the list output. I did today: > > iptables --list and got (again other stuff omitted) > > Chain FORWARD (Policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > > uhm, is that OK? It doesn't look it to me. Shouldn't the source and > destination be filled in as ppp0 and eth0? Or doesn't --list list that > properly? I'm worried that the anywhere anywhere means that > the related and > established rule never gets triggered. > > P.S. I also tried iptables -nL and got (unrelevant stuff omitted) > > Chain FORWARD (Policy DROP) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > Regards, > > --- > Edward Dekkers (Director) > Triple D Computer Services P/L > > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
