[nos-bbs] iptables qestion -- more..

Michael Fox - N6MEF n6mef at mefox.org
Thu Nov 15 02:08:26 EST 2012 

Well, since your linux machine has no iptables rules to block traffic, I
would guess that you have a routing problem.  Check the routes in JNOS,
linux and your Internet firewall/router.  Start one hop away, on your linux
machine and ping and telnet to JNOS.  Then back up one hop to your router
and ping and telnet to JNOS.  Lather, rinse, repeat.  ;-)

Michael

-----Original Message-----
From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of jerome schatten
Sent: Wednesday, November 14, 2012 10:50 PM
To: TAPR xNOS Mailing List
Subject: Re: [nos-bbs] iptables qestion -- more..

I should say that the problem I'm trying to troubleshoot now manifests
itself in two ways:

1. I can see the rip broadcasts on the jnos box with tcpdump, but they never
pass through the various interfaces to jnos; and 

2. I cannot telnet into ve7ass.dyndns.org at all; the connexion is refused.

Other than that, everything else in jnos seems to be working properly.
j.


On Wed, 2012-11-14 at 21:57 -0800, jerome schatten wrote:
> So... you are saying that ports other than 22 and 631 in this case may 
> be open but no apps are listening?  I guess I should increase the 
> level of penetration of nmap to test that out? Or is there no way? 
> What I would like to do is open 'em all up since the machine is in the 
> DMZ anyway. Or am I really worrying about nothing??
> j.
> 
> 
> On Wed, 2012-11-14 at 21:34 -0800, Michael Fox - N6MEF wrote:
> > Hi Jerome,
> > 
> > Essentially correct.
> > Each chain has a default policy.  The default policy defines what 
> > happens if a packet makes it through all of the rules in the chain 
> > without being matched.  Typically one would set the default policy 
> > to DROP and then add rules to match and ACCEPT the particular types 
> > of packets that you want to accept.  Anything else would be dropped 
> > by the default policy.  In the output below, the default policy is 
> > ACCEPT for each chain, so if no rules are matched, the packet is 
> > allowed.  And, since there are no rules, then all packets are allowed.
> > 
> > So what does allowed mean?
> > The INPUT chain is for packets destined for Linux itself.  Such as 
> > if you were to ssh to the linux machine.
> > The FORWARD chain is for packets that will travel through the Linux box.
> > Such as packets coming in on one interface and exiting via another.
> > The OUTPUT chain is for packets that the Linux box originates.  Such 
> > as if you were to ping someone FROM the linux box.
> > 
> > The configuration below merely shows that iptables isn't going to 
> > get in the way of any packets.  But that doesn't mean that the ports 
> > are open.  For the port to be open, you need some application 
> > running and listening on that port.  For example, if you were 
> > running a ssh server, then port 22 would be open (unless it was
configured to listen on another port.
> > 
> > Michael
> > N6MEF
> > 
> > -----Original Message-----
> > From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On 
> > Behalf Of jerome schatten
> > Sent: Wednesday, November 14, 2012 8:35 PM
> > To: nos-bbs
> > Subject: [nos-bbs] iptables qestion and....
> > 
> > If I run the command 'iptables -L', on my jnos machine (the box), it
> > returns:
> > 
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination         
> > 
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination         
> > 
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination         
> > orange at orange:~$
> > 
> > In the ordinary English language sense of the word ACCEPT, I 
> > interpret this to mean that there is no linux firewall. Is this 
> > correct? It seems to behave in just the opposite way.
> > 
> > The reason I ask is because running nmap pointing at the jnos 
> > machine (the target is the ethernet addrress), from another machine 
> > on the lan, shows all ports closed except 631 and 22.
> > 
> > Help an old man out here, eh?
> > jerome - ve7ass
> > 
> > 
> > _______________________________________________
> > nos-bbs mailing list
> > nos-bbs at tapr.org
> > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> > 
> > 
> > _______________________________________________
> > nos-bbs mailing list
> > nos-bbs at tapr.org
> > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> 
> 
> 
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs



_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs

More information about the nos-bbs mailing list