[Dnsmasq-discuss] iptables configuration drops packets
adam.ant at cyberspaceroad.com
Sun May 18 18:30:09 BST 2008
/dev/rob0 on 17/05/08 20:28, wrote:
> On Sat May 17 2008 11:18:38 Adam Hardy wrote:
>>> Assuming that the --log-prefix is correct and that your iptables
>>> machine's IP address is 192.168.0.2, do tell, WHY are you blocking
>>> OUTPUT? What is your threat model?
>> Basically I have 3 housemates who I allow on the wireless LAN with
>> their laptops, and of course they all run windows, so I just want to
>> make sure. I'd rather not run the risk of someone leaving their PC on
>> with a spam cannon trojan running. I've forbidden Outlook and MSIE,
>> so perhaps I'm being too keen, but I figured I'd log what OUTPUT
>> drops and figure out where it's coming from and whether it's kosher
>> or not, and adapt when necessary.
> In that case, as best as I can tell, you are not understanding what
> OUTPUT is. Built-in chains in the filter table:
> INPUT : Packets destined to the iptables machine
> OUTPUT : Packets originated from the iptables machine
> FORWARD: All other (neither source nor dest. is local)
> Any given packet hits exactly one chain, with the exception of the
> loopback interface, which first hits OUTPUT and then INPUT. Note also
> that the PREROUTING and OUTPUT chains in the nat table can change the
> filter chain any given packet would hit.
> Your housemates would be sending FORWARD traffic, coming in the LAN
> interface, going out the Internet/external one.
> Here's a good netfilter help site:
> Unfortunately seems to be down now, but it's in the Google cache.
> (Dynamic IP, I think it will be back later.)
Ah, sorry. I'm being stupid. I claim sleep deprivation as an excuse.
That site is back up now. I shall check it out.
I'm logging both the OUTPUT and the FORWARD dropped packets. Maybe I am being
unnecessarily restrictive re the OUTPUT. But even then I'd feel safer. When I
logged the dropped packets arriving on the gateway's INPUT from the internet,
it's phenomenal the amount of stuff coming in.
More information about the Dnsmasq-discuss