[Dnsmasq-discuss] iptables configuration drops packets

Adam Hardy adam.ant at cyberspaceroad.com
Sun May 18 18:30:09 BST 2008

/dev/rob0 on 17/05/08 20:28, wrote:
> On Sat May 17 2008 11:18:38 Adam Hardy wrote:
>>> Assuming that the --log-prefix is correct and that your iptables
>>> machine's IP address is, do tell, WHY are you blocking
>>> OUTPUT? What is your threat model?
>> Basically I have 3 housemates who I allow on the wireless LAN with
>> their laptops, and of course they all run windows, so I just want to
>> make sure. I'd rather not run the risk of someone leaving their PC on
>> with a spam cannon trojan running. I've forbidden Outlook and MSIE,
>> so perhaps I'm being too keen, but I figured I'd log what OUTPUT
>> drops and figure out where it's coming from and whether it's kosher
>> or not, and adapt when necessary.
> In that case, as best as I can tell, you are not understanding what 
> OUTPUT is. Built-in chains in the filter table:
> 	INPUT  :	Packets destined to the iptables machine
> 	OUTPUT :	Packets originated from the iptables machine
> 	FORWARD:	All other (neither source nor dest. is local)
> Any given packet hits exactly one chain, with the exception of the 
> loopback interface, which first hits OUTPUT and then INPUT. Note also 
> that the PREROUTING and OUTPUT chains in the nat table can change the 
> filter chain any given packet would hit.
> Your housemates would be sending FORWARD traffic, coming in the LAN 
> interface, going out the Internet/external one.
> Here's a good netfilter help site:
> 	http://danieldegraaf.afraid.org/info/iptables/examples
> Unfortunately seems to be down now, but it's in the Google cache. 
> (Dynamic IP, I think it will be back later.)

Ah, sorry. I'm being stupid. I claim sleep deprivation as an excuse.

That site is back up now. I shall check it out.

I'm logging both the OUTPUT and the FORWARD dropped packets. Maybe I am being 
unnecessarily restrictive re the OUTPUT. But even then I'd feel safer. When I 
logged the dropped packets arriving on the gateway's INPUT from the internet, 
it's phenomenal the amount of stuff coming in.


More information about the Dnsmasq-discuss mailing list