[nos-bbs] iptables qestion -- more..

jerome schatten romers at shaw.ca
Thu Nov 15 01:50:15 EST 2012


I should say that the problem I'm trying to troubleshoot now manifests
itself in two ways:

1. I can see the rip broadcasts on the jnos box with tcpdump, but they
never pass through the various interfaces to jnos; and 

2. I cannot telnet into ve7ass.dyndns.org at all; the connexion is
refused.

Other than that, everything else in jnos seems to be working properly.
j.


On Wed, 2012-11-14 at 21:57 -0800, jerome schatten wrote:
> So... you are saying that ports other than 22 and 631 in this case may
> be open but no apps are listening?  I guess I should increase the level
> of penetration of nmap to test that out? Or is there no way? What I
> would like to do is open 'em all up since the machine is in the DMZ
> anyway. Or am I really worrying about nothing??
> j.
> 
> 
> On Wed, 2012-11-14 at 21:34 -0800, Michael Fox - N6MEF wrote:
> > Hi Jerome,
> > 
> > Essentially correct.
> > Each chain has a default policy.  The default policy defines what happens if
> > a packet makes it through all of the rules in the chain without being
> > matched.  Typically one would set the default policy to DROP and then add
> > rules to match and ACCEPT the particular types of packets that you want to
> > accept.  Anything else would be dropped by the default policy.  In the
> > output below, the default policy is ACCEPT for each chain, so if no rules
> > are matched, the packet is allowed.  And, since there are no rules, then all
> > packets are allowed.
> > 
> > So what does allowed mean?
> > The INPUT chain is for packets destined for Linux itself.  Such as if you
> > were to ssh to the linux machine.
> > The FORWARD chain is for packets that will travel through the Linux box.
> > Such as packets coming in on one interface and exiting via another.
> > The OUTPUT chain is for packets that the Linux box originates.  Such as if
> > you were to ping someone FROM the linux box.
> > 
> > The configuration below merely shows that iptables isn't going to get in the
> > way of any packets.  But that doesn't mean that the ports are open.  For the
> > port to be open, you need some application running and listening on that
> > port.  For example, if you were running a ssh server, then port 22 would be
> > open (unless it was configured to listen on another port.  
> > 
> > Michael
> > N6MEF
> > 
> > -----Original Message-----
> > From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
> > Of jerome schatten
> > Sent: Wednesday, November 14, 2012 8:35 PM
> > To: nos-bbs
> > Subject: [nos-bbs] iptables qestion and....
> > 
> > If I run the command 'iptables -L', on my jnos machine (the box), it
> > returns:
> > 
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination         
> > 
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination         
> > 
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination         
> > orange at orange:~$ 
> > 
> > In the ordinary English language sense of the word ACCEPT, I interpret this
> > to mean that there is no linux firewall. Is this correct? It seems to behave
> > in just the opposite way.
> > 
> > The reason I ask is because running nmap pointing at the jnos machine (the
> > target is the ethernet addrress), from another machine on the lan, shows all
> > ports closed except 631 and 22.
> > 
> > Help an old man out here, eh?
> > jerome - ve7ass
> > 
> > 
> > _______________________________________________
> > nos-bbs mailing list
> > nos-bbs at tapr.org
> > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> > 
> > 
> > _______________________________________________
> > nos-bbs mailing list
> > nos-bbs at tapr.org
> > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> 
> 
> 
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs






More information about the nos-bbs mailing list