[Dnsmasq-discuss] iptables configuration drops packets
rob0 at gmx.co.uk
Sat May 17 20:28:12 BST 2008
On Sat May 17 2008 11:18:38 Adam Hardy wrote:
> > Assuming that the --log-prefix is correct and that your iptables
> > machine's IP address is 192.168.0.2, do tell, WHY are you blocking
> > OUTPUT? What is your threat model?
> Basically I have 3 housemates who I allow on the wireless LAN with
> their laptops, and of course they all run windows, so I just want to
> make sure. I'd rather not run the risk of someone leaving their PC on
> with a spam cannon trojan running. I've forbidden Outlook and MSIE,
> so perhaps I'm being too keen, but I figured I'd log what OUTPUT
> drops and figure out where it's coming from and whether it's kosher
> or not, and adapt when necessary.
In that case, as best as I can tell, you are not understanding what
OUTPUT is. Built-in chains in the filter table:
INPUT : Packets destined to the iptables machine
OUTPUT : Packets originated from the iptables machine
FORWARD: All other (neither source nor dest. is local)
Any given packet hits exactly one chain, with the exception of the
loopback interface, which first hits OUTPUT and then INPUT. Note also
that the PREROUTING and OUTPUT chains in the nat table can change the
filter chain any given packet would hit.
Your housemates would be sending FORWARD traffic, coming in the LAN
interface, going out the Internet/external one.
Here's a good netfilter help site:
Unfortunately seems to be down now, but it's in the Google cache.
(Dynamic IP, I think it will be back later.)
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
More information about the Dnsmasq-discuss