[Dnsmasq-discuss] iptables configuration drops packets

/dev/rob0 rob0 at gmx.co.uk
Sat May 17 20:28:12 BST 2008


On Sat May 17 2008 11:18:38 Adam Hardy wrote:
> > Assuming that the --log-prefix is correct and that your iptables
> > machine's IP address is 192.168.0.2, do tell, WHY are you blocking
> > OUTPUT? What is your threat model?
>
> Basically I have 3 housemates who I allow on the wireless LAN with
> their laptops, and of course they all run windows, so I just want to
> make sure. I'd rather not run the risk of someone leaving their PC on
> with a spam cannon trojan running. I've forbidden Outlook and MSIE,
> so perhaps I'm being too keen, but I figured I'd log what OUTPUT
> drops and figure out where it's coming from and whether it's kosher
> or not, and adapt when necessary.

In that case, as best as I can tell, you are not understanding what 
OUTPUT is. Built-in chains in the filter table:
	INPUT  :	Packets destined to the iptables machine
	OUTPUT :	Packets originated from the iptables machine
	FORWARD:	All other (neither source nor dest. is local)
Any given packet hits exactly one chain, with the exception of the 
loopback interface, which first hits OUTPUT and then INPUT. Note also 
that the PREROUTING and OUTPUT chains in the nat table can change the 
filter chain any given packet would hit.

Your housemates would be sending FORWARD traffic, coming in the LAN 
interface, going out the Internet/external one.

Here's a good netfilter help site:
	http://danieldegraaf.afraid.org/info/iptables/examples
Unfortunately seems to be down now, but it's in the Google cache. 
(Dynamic IP, I think it will be back later.)
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header



More information about the Dnsmasq-discuss mailing list