[lug] IP Tables

[karl horlen]

--- "David L. Anselmi" <anselmi at anselmi.us> wrote:

> So this is an interesting example of software
> engineering.  Harlen 
> doesn't know how to make iptables do what he wants. 
> Does he know how to 
> specify requirements so Kevin can do it?

If I knew how to do this 100%, i probably wouldn't be
asking the question in the first place.  I came to the
forum looking for help and i think i got it.  It's
working for me.

> >> - allows smtp port 25 to send to all outside
> 
> Port 25 probably doesn't send anything, just
> receives.  But there's no 
> requirement for it to receive anything.

It's implied in the requirement further below

> >> - allows all inside generated requests to go out
> and
> >> accept replies from all inside generated requests
> >> (probably covers sendmail above?)
> 
> Yes, for sending.
 
> > iptables -A INPUT -i lo -j ACCEPT
> 
> This allows local connections, which wasn't
> specified.

But i'm glad he added it.  It's a perfect example
of how i missed something pretty obvious which should
have been there. Part of the beauty of a forum like
this is others catch mistakes or add things otherwise
left out.

> > iptables -A INPUT -j REJECT --reject-with
> icmp-host-prohibited
> 
> Harlan said "drop" but Kevin has used reject.  Same
> or not?

I'll post a reply in kevin's reply about this one. 
The short of it is that your reply to his reply forces
me to ask another question which helps the
understanding process.

> No slight intended to Harlan or Kevin.  Just a "gee,
> I see this all the 
> time at work" moment.

No slight taken.  I humbly learn by the deficiencies
in my original request and the kindness of someone to
help out.


      ____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7