[nos-bbs] iptables qestion -- more..

jerome schatten romers at shaw.ca
Thu Nov 15 02:20:30 EST 2012 

Yes... my suspicion too. But I thought I would make sure that my notion
of iptables was correct before tackling the dreaded routing problem <g>.
Thanks,
j.

On Wed, 2012-11-14 at 23:08 -0800, Michael Fox - N6MEF wrote:
> Well, since your linux machine has no iptables rules to block traffic, I
> would guess that you have a routing problem.  Check the routes in JNOS,
> linux and your Internet firewall/router.  Start one hop away, on your linux
> machine and ping and telnet to JNOS.  Then back up one hop to your router
> and ping and telnet to JNOS.  Lather, rinse, repeat.  ;-)
> 
> Michael
> 
> -----Original Message-----
> From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
> Of jerome schatten
> Sent: Wednesday, November 14, 2012 10:50 PM
> To: TAPR xNOS Mailing List
> Subject: Re: [nos-bbs] iptables qestion -- more..
> 
> I should say that the problem I'm trying to troubleshoot now manifests
> itself in two ways:
> 
> 1. I can see the rip broadcasts on the jnos box with tcpdump, but they never
> pass through the various interfaces to jnos; and 
> 
> 2. I cannot telnet into ve7ass.dyndns.org at all; the connexion is refused.
> 
> Other than that, everything else in jnos seems to be working properly.
> j.
> 
> 
> On Wed, 2012-11-14 at 21:57 -0800, jerome schatten wrote:
> > So... you are saying that ports other than 22 and 631 in this case may 
> > be open but no apps are listening?  I guess I should increase the 
> > level of penetration of nmap to test that out? Or is there no way? 
> > What I would like to do is open 'em all up since the machine is in the 
> > DMZ anyway. Or am I really worrying about nothing??
> > j.
> > 
> > 
> > On Wed, 2012-11-14 at 21:34 -0800, Michael Fox - N6MEF wrote:
> > > Hi Jerome,
> > > 
> > > Essentially correct.
> > > Each chain has a default policy.  The default policy defines what 
> > > happens if a packet makes it through all of the rules in the chain 
> > > without being matched.  Typically one would set the default policy 
> > > to DROP and then add rules to match and ACCEPT the particular types 
> > > of packets that you want to accept.  Anything else would be dropped 
> > > by the default policy.  In the output below, the default policy is 
> > > ACCEPT for each chain, so if no rules are matched, the packet is 
> > > allowed.  And, since there are no rules, then all packets are allowed.
> > > 
> > > So what does allowed mean?
> > > The INPUT chain is for packets destined for Linux itself.  Such as 
> > > if you were to ssh to the linux machine.
> > > The FORWARD chain is for packets that will travel through the Linux box.
> > > Such as packets coming in on one interface and exiting via another.
> > > The OUTPUT chain is for packets that the Linux box originates.  Such 
> > > as if you were to ping someone FROM the linux box.
> > > 
> > > The configuration below merely shows that iptables isn't going to 
> > > get in the way of any packets.  But that doesn't mean that the ports 
> > > are open.  For the port to be open, you need some application 
> > > running and listening on that port.  For example, if you were 
> > > running a ssh server, then port 22 would be open (unless it was
> configured to listen on another port.
> > > 
> > > Michael
> > > N6MEF
> > > 
> > > -----Original Message-----
> > > From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On 
> > > Behalf Of jerome schatten
> > > Sent: Wednesday, November 14, 2012 8:35 PM
> > > To: nos-bbs
> > > Subject: [nos-bbs] iptables qestion and....
> > > 
> > > If I run the command 'iptables -L', on my jnos machine (the box), it
> > > returns:
> > > 
> > > Chain INPUT (policy ACCEPT)
> > > target     prot opt source               destination         
> > > 
> > > Chain FORWARD (policy ACCEPT)
> > > target     prot opt source               destination         
> > > 
> > > Chain OUTPUT (policy ACCEPT)
> > > target     prot opt source               destination         
> > > orange at orange:~$
> > > 
> > > In the ordinary English language sense of the word ACCEPT, I 
> > > interpret this to mean that there is no linux firewall. Is this 
> > > correct? It seems to behave in just the opposite way.
> > > 
> > > The reason I ask is because running nmap pointing at the jnos 
> > > machine (the target is the ethernet addrress), from another machine 
> > > on the lan, shows all ports closed except 631 and 22.
> > > 
> > > Help an old man out here, eh?
> > > jerome - ve7ass
> > > 
> > > 
> > > _______________________________________________
> > > nos-bbs mailing list
> > > nos-bbs at tapr.org
> > > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> > > 
> > > 
> > > _______________________________________________
> > > nos-bbs mailing list
> > > nos-bbs at tapr.org
> > > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> > 
> > 
> > 
> > _______________________________________________
> > nos-bbs mailing list
> > nos-bbs at tapr.org
> > https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> 
> 
> 
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
> 
> 
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs

More information about the nos-bbs mailing list