Existing connections / changing IpTables
Richard Emberson
remberson at edgedynamics.com
Fri Jan 20 16:52:10 UTC 2006
Thank you for response.
What I was asking was: You've got an existing set of IpTable rules and you
have a set of current/active connections that are governed by those rules.
If you then change the rules, what happens to the existing connections?
Are they still associated with the old rules or are the new rules applied.
If an old rule says that a connection from a particular machine is allowed
and you currently have such a connection and then you install new rules
that disallow connections from that machine - will the existing connection
be terminated or still remain open?
RME
jludwig wrote:
>On Thursday 19 January 2006 17:56, Richard Emberson wrote:
>
>
>>What happens to existing connections if one reconfigures the
>>machine's IpTables?
>>Add a new rule?
>>Remove a rule?
>>Blow away configuration and set a new one?
>>Add a host/port mapping?
>>Remove a host/port mapping?
>>
>>Thanks
>>
>>RME
>>
>>--
>>This email message is for the sole use of the intended recipient(s) and
>>may contain confidential information. Any unauthorized review, use,
>>disclosure or distribution is prohibited. If you are not the intended
>>recipient, please contact the sender by reply email and destroy all
>>copies of the original message.
>>
>>
>Note:!!! This information is not complete.
>
>If I understand what you are asking;
>
>Iptables is the firewall program. Typically you can affect routing only by
>blocking or allowing data packets in or through the machine where it is
>implemented.
>
>Routing is done by the route command and the network configuration files S.A.
>/etc/sysconfig/network-scripts/
>fcfg-eth0, ifdown-aliases, ifdown-ppp, ifup, ifup-routes, ifup-wireless
>and
>/etc/
>resolv.conf, hosts, which tells the kernel et al where to send the data
>packets and/or look for the address information.
>
>Also for the system to pass data packets through the
>system /proc/sys/net/ipv4/ip_forward has to be set to '1'
>S.A.
>echo 1 > /proc/sys/net/ipv4/ip_forward
>or setting in /etc/sysctl.conf;
> # Controls IP packet forwarding
>net.ipv4.ip_forward = 1
>
>If the iptables rule set is not correct or ordered correctly though, there is
>a good chance that the connection will be denied or possibly degraded.
>
>To see what rules are being used try as root;
>iptables -vnL
>A sample of mine;
>Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
>destination
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>state INVALID
> 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
> 0 0 REJECT all -- * * 0.0.0.0/0
>127.0.0.0/8 reject-with icmp-port-unreachable
> 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
>11441 8822K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
>state RELATED,ESTABLISHED
> 0 0 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
>state NEW
> 0 0 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
>state RELATED,ESTABLISHED
> 0 0 REJECT all -- eth0 * 192.168.14.0/24 0.0.0.0/0
>reject-with icmp-port-unreachable
> 24 2208 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>icmp type 8 limit: avg 1/sec burst 5
> 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
>icmp type 8
> 0 0 DROP icmp -- * * 0.0.0.0/0
>192.168.14.255
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>state RELATED,ESTABLISHED
> 38 3468 REJECT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
>udp dpt:137 reject-with icmp-port-unreachable
> 0 0 ACCEPT udp -- * * 68.48.0.13 0.0.0.0/0
>udp spt:53
> 0 0 ACCEPT udp -- * * 68.48.0.6 0.0.0.0/0
>udp spt:53
> 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
>tcp dpt:22
> 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
>tcp dpt:1433 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `F
>
>
>
--
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies of the original message.
More information about the fedora-list
mailing list