[lug] ipchains question

Chip Atkinson chip at rmpg.org
Fri Feb 22 07:03:12 MST 2002 

Excellent idea.  I guess it was a little too late to think of something
that made that much sense. :-)

Chip
On Thu, 21 Feb 2002, D. Stimits wrote:

> Add logging to your accept rules and try again. See if it tells you
> which is accepting it.
>
> D. Stimits, stimits at idcomm.com
>
> Chip Atkinson wrote:
> >
> > Greetings,
> >
> > In reviewing some ipchains rules, I'm getting packets accepted when I
> > thought they would be getting denied.
> >
> > >From what I understand, the packet is compared to each rule and upon
> > matching, the matched target is jumped to.  Here's what I have:
> >
> > [root at poodle sysconfig]# ipchains -L input
> > Chain input (policy ACCEPT):
> > target     prot opt     source                destination           ports
> > icmp-acc   icmp ------  anywhere             anywhere              any ->   any
> > ssh-acc    tcp  ------  anywhere             anywhere              any ->   ssh
> > ssh-acc    udp  ------  anywhere             anywhere              any ->   ssh
> > ssh-acc    tcp  ------  anywhere             anywhere              ssh ->   any
> > ssh-acc    udp  ------  anywhere             anywhere              ssh ->   any
> > ACCEPT     tcp  ------  anywhere             anywhere              any ->   smtp
> > ACCEPT     tcp  ------  anywhere             anywhere              any ->   auth
> > ACCEPT     tcp  ------  anywhere             anywhere              auth ->   any
> > ACCEPT     tcp  !y----  jymis.com            pupman.com            telnet ->   any
> > DENY       tcp  -y--l-  jymis.com            pupman.com            any ->   telnet
> > ACCEPT     tcp  ------  pupman.com           jymis.com             any ->   telnet
> > DENY       all  ----l-  anywhere             anywhere              n/a
> > [root at poodle sysconfig]# ipchains -v -C input -p tcp -i eth0 -s 63.225.119.190 60000 -d 10.0.0.5 ircd
> > -  tcp opt    ------ tos 0xFF 0x00  via eth0    63.225.119.190 -> 10.0.0.5
> > 60000 ->   6667
> > accepted
> >
> > This doesn't make sense to me.  I thought that the DENY at the bottom
> > would match any packet that made it through all the rules, and that the
> > packet being tested would certainly match the last rule.
> >
> > Can anyone point out what I'm missing?
> > Thanks in advance.
> >
> > Chip
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list