On Wednesday 10 July 2002 20:41, Mark Tessier wrote: > Is there anyone out there who has deployed the choke firewall script found > in chapter 6 of R. Ziegler's book "Linux Firewalls".
Which edition is that? Mine doesn't even deal with iptables. > CLASS_A="10.0.0.0/8" # class A private networks > CLASS_B="172.16.0.0/12" # class B private networks > CLASS_C="192.168.0.0/16" # class C private networks > > This is all typical of what you'd find in most scripts, but the fact is in > this script, that's the last time CLASS_A, CLASS_B, etc are mentioned. In > other words, there's no rule specific to denying packets coming from a > CLASS_A private network. Why would one initialize a CLASS_A variable if > it's never going to be used, I wonder? Is there some other rule used in > this script that makes using a rule specifically denying access to packets > coming from a CLASS_A private network obsolete? > > Finally, I use the following rule: > > iptables -L FORWARD -v -x That is only one specific chain. If all counters remain at 0, then your packet is not traveling through the FORWARD chain. So you may also want to look at: iptables -L -v -x iptables -L -v -x -t nat iptables -L -v -x -t mangle to inspect all other chains where your packets may get dropped. One or more of the counters there must be changing, that's right! Also, tcpdump -n may give some information what is happening to your packets. Jan Humme.
