Peter, Firstly don't try by trial and error. Someone has already gone thru the same trouble as yourself. I would suggest that you go to freshmeat.net and do a search for iptables, there is a tutorial there I think it's boingworld.com or something like that. He is pretty good with his examples
Also for a implied DENY or DROP what you can do is iptables -p INPUT -j DROP iptables -p FORWARD -j DROP iptables -p OUTPUT -j DROP the above rule set is just creating a standard policy to drop packets on the input, output, and forward chains I have forgotten the case for the chains. Kevin > Sluggers, > > I'm learning iptables by trial and terror and fail to understand > iptables > behaviour when matching rules. I thought that once a rule was matched > the chain was exited but it appears that iptables continues down the > chain attempting to match all rules. Is this true and if so what the > hell > for? This would appear to me to make iptables about next to useless. > > For example, I flush all the input rules with > > # iptables -F INPUT > > I then add a couple of simple rules with > > # iptables -A INPUT -p TCP --dport 80 -j LOG --log-prefix "HTTP: " > # iptables -A INPUT -p TCP -j LOG --log-prefix "OTHER: " > > But when I list /var/log/messages I get both the HTTP and OTHER > labels!!!???? > > Mar 21 21:25:26 ganymede kernel: HTTP: IN=lo OUT= [snip] > Mar 21 21:25:26 ganymede kernel: OTHER: IN=lo OUT= [snip] > > So what's the story? I want to impliment a DENY or DROP policy so that > > packets > that I don't have a rule for get dumped but as soon as I change the > INPUT policy > to DENY or DROP nothing can talk to the box, even though I have a > matching > input rule. I don't want to have to impliment a chain by putting in > matching rules for > all the ports that I don't want I just want to put in a list of allows > > and then a DROP > at the end. > > Anyone have any ideas? Is their a flag or switch on iptables that > changes the > traverse policy to "exit on match". Clues sticks? > > > TIA's > > Pete > > > -- > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug > ----------------------------------------------------------------------- Kevin Saenz Security Analyst mobile: +61418455661 email: [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
