[nos-bbs] iptables qestion -- more..
jerome schatten
romers at shaw.ca
Thu Nov 15 02:20:30 EST 2012
Yes... my suspicion too. But I thought I would make sure that my notion
of iptables was correct before tackling the dreaded routing problem <g>.
Thanks,
j.
On Wed, 2012-11-14 at 23:08 -0800, Michael Fox - N6MEF wrote:
> Well, since your linux machine has no iptables rules to block traffic, I
> would guess that you have a routing problem. Check the routes in JNOS,
> linux and your Internet firewall/router. Start one hop away, on your linux
> machine and ping and telnet to JNOS. Then back up one hop to your router
> and ping and telnet to JNOS. Lather, rinse, repeat. ;-)
>
> Michael
>
> -----Original Message-----
> From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
> Of jerome schatten
> Sent: Wednesday, November 14, 2012 10:50 PM
> To: TAPR xNOS Mailing List
> Subject: Re: [nos-bbs] iptables qestion -- more..
>
> I should say that the problem I'm trying to troubleshoot now manifests
> itself in two ways:
>
> 1. I can see the rip broadcasts on the jnos box with tcpdump, but they never
> pass through the various interfaces to jnos; and
>
> 2. I cannot telnet into ve7ass.dyndns.org at all; the connexion is refused.
>
> Other than that, everything else in jnos seems to be working properly.
> j.
>
>
> On Wed, 2012-11-14 at 21:57 -0800, jerome schatten wrote:
> > So... you are saying that ports other than 22 and 631 in this case may
> > be open but no apps are listening? I guess I should increase the
> > level of penetration of nmap to test that out? Or is there no way?
> > What I would like to do is open 'em all up since the machine is in the
> > DMZ anyway. Or am I really worrying about nothing??
> > j.
> >
> >
> > On Wed, 2012-11-14 at 21:34 -0800, Michael Fox - N6MEF wrote:
> > > Hi Jerome,
> > >
> > > Essentially correct.
> > > Each chain has a default policy. The default policy defines what
> > > happens if a packet makes it through all of the rules in the chain
> > > without being matched. Typically one would set the default policy
> > > to DROP and then add rules to match and ACCEPT the particular types
> > > of packets that you want to accept. Anything else would be dropped
> > > by the default policy. In the output below, the default policy is
> > > ACCEPT for each chain, so if no rules are matched, the packet is
> > > allowed. And, since there are no rules, then all packets are allowed.
> > >
> > > So what does allowed mean?
> > > The INPUT chain is for packets destined for Linux itself. Such as
> > > if you were to ssh to the linux machine.
> > > The FORWARD chain is for packets that will travel through the Linux box.
> > > Such as packets coming in on one interface and exiting via another.
> > > The OUTPUT chain is for packets that the Linux box originates. Such
> > > as if you were to ping someone FROM the linux box.
> > >
> > > The configuration below merely shows that iptables isn't going to
> > > get in the way of any packets. But that doesn't mean that the ports
> > > are open. For the port to be open, you need some application
> > > running and listening on that port. For example, if you were
> > > running a ssh server, then port 22 would be open (unless it was
> configured to listen on another port.
> > >
> > > Michael
> > > N6MEF
> > >
> > > -----Original Message-----
> > > From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On
> > > Behalf Of jerome schatten
> > > Sent: Wednesday, November 14, 2012 8:35 PM
> > > To: nos-bbs
> > > Subject: [nos-bbs] iptables qestion and....
> > >
> > > If I run the command 'iptables -L', on my jnos machine (the box), it
> > > returns:
> > >
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > orange at orange:~$
> > >
> > > In the ordinary English language sense of the word ACCEPT, I
> > > interpret this to mean that there is no linux firewall. Is this
> > > correct? It seems to behave in just the opposite way.
> > >
> > > The reason I ask is because running nmap pointing at the jnos
> > > machine (the target is the ethernet addrress), from another machine
> > > on the lan, shows all ports closed except 631 and 22.
> > >
> > > Help an old man out here, eh?
> > > jerome - ve7ass
> > >
> > >
> > > _______________________________________________
> > > nos-bbs mailing list
> > > nos-bbs at tapr.org
> > > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> > >
> > >
> > > _______________________________________________
> > > nos-bbs mailing list
> > > nos-bbs at tapr.org
> > > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> >
> >
> >
> > _______________________________________________
> > nos-bbs mailing list
> > nos-bbs at tapr.org
> > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
>
>
>
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
>
>
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
More information about the nos-bbs
mailing list