Problem w/ iptables on FC3

/dev/rob0 rob0 at gmx.co.uk
Mon Jul 4 21:32:59 CEST 2005


On Monday 04 July 2005 13:36, John Sasso Jr wrote:
> I'm curious - for the sample configuration I gave in my original
> posting, why would:
>
> iptables -A OUTPUT -o eth0 -s 192.168.50.100 -p icmp --icmp-type
> echo-request -j ACCEPT
>
> fail to permit a packet originating from my system out?  I understand

Try inserting a LOG rule ahead of that ...
iptables -I OUTPUT -o eth0 -j LOG
and watch your kernel logs while trying to ping. Check the counters, 
with "iptables -vnL". Are they incremented for each ping sent? If so, 
they matched the rule, if not, they didn't.

Maybe the replies aren't matching. Repeat the above steps for INPUT. 
Soon enough you will find out why it didn't work.

Or not. Actually I bet you will find that no pings were sent. What do 
you have for "ls -l `which ping`"? Is it SUID?

$ v `which ping`
-rws--x--x  1 root bin 29232 2004-11-03 22:55 /bin/ping
   ^
That little "s" there is necessary for non-root users.

> what "iptables -P OUTPUT ACCEPT" does, and I am not arguing the logic
> behind using that instead for my situation, but I'm wondering if
> packet filtering operates differently for traffic originated by a
> firewall as opposed to traversing a firewall.

OUTPUT is the chain that sees the packets which originated on the 
firewall machine. Packet matching follows the same principle in all 
tables and chains.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list