Visit The New, Modern Unix Linux Community


iptables rule sanity check?


 
Thread Tools Search this Thread
Special Forums Cybersecurity iptables rule sanity check?
# 1  
iptables rule sanity check?

why would:
Code:
 iptables -A INPUT -s 180.0.0.0/8 -j DROP

along with /etc/hosts.deny rule of
Code:
 ALL: 180.0.0.0/8

not stop traffic to/from 180.x.x.x, which I still see by running iftop? Or could iftop just be showing an artifact and is there a better way to monitor connections real-time?
# 2  
In fact I wonder if this is the right forum, I would believe Security - The UNIX and Linux Forums or IP Networking - The UNIX and Linux Forums more suitable... Let us know if you desire to move your thread...
# 3  
Quote:
Originally Posted by unclecameron
why would (..) along with /etc/hosts.deny rule of (..) not stop traffic to/from 180.x.x.x, which I still see by running iftop?
First of all tcp_wrappers may be considered complementary in a multi-layered approach to network access restrictions but there's a fundamental difference between tcp_wrappers and Netfilter. The first works only at the application level (and only if the application was compiled with -libwrap) and the latter works at the network level, meaning no interaction with any application.
In short: Netfilter = "must have", tcp_wrappers = "nice to have".

As for your question you show isolated rules, no rule counters and no evidence of traffic, meaning your rule could be placed below a rule that already accepts traffic or you haven't killed or restarted the network process or didn't reset individual connections so you might be seeing already established connections.


Quote:
Originally Posted by unclecameron
Or could iftop just be showing an artifact and is there a better way to monitor connections real-time?
I doubt that. Iftop uses the libpcap ('man 3 pcap') framework for data handling just like tcpdump, Wireshark or say nmap.
# 4  
@vbe: thanks for moving the post, makes sense Smilie

@unSpawn: There are no other rules active in iptables, and I have restarted all the network related processes I could find. Thanks for the info on pcap

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #308
Difficulty: Easy
The first computer bug was created by a broken keyboard input.
True or False?

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

iptables rule to block access from VM Browser to Firewall Login Page

(1 Reply)
Discussion started by: senrabdet
1 Replies

2. Cybersecurity

LDAP - sanity check

I have recently changed jobs and where i used to work we had kerberos. Here they have nothing resembling central password management or Network Authentication. I have started looking at LDAP but wonder if that is a good choice. we have a solaris/centos environment (no windows whoo hooo) with 4... (2 Replies)
Discussion started by: oly_r
2 Replies

3. IP Networking

iptables - most easy way to find rule and remove it?

I have situation where I have rules in iptables with comments. Now... I can for example enter rule like "iptables -A FORWARD -s xxx -j ACCEPT" and delete it with "iptables -D FORWARD -s xxx -j ACCEPT".. but if that rule contain some random comment (-m comment) then ... ? I can find with scripting... (2 Replies)
Discussion started by: darkman_hr
2 Replies

4. Linux

iptables rule problem

Hi, i have 40 client's in my network, that connected to internet via squid server (WebProxy). i want none of these client can't ping my squid server bat squid server can ping them.i wrote these rules but it is'nt work. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -A INPUT -p... (1 Reply)
Discussion started by: skynet_boy
1 Replies

5. Solaris

lib/cpp fails sanity check

I'm trying to install a new library for php but everytime I run configure I got the following error "lib/cpp" fails sanity check. My OS is solaris 10 Any help on how to solve this issue would be highly appreciated (3 Replies)
Discussion started by: dahr
3 Replies

6. UNIX for Advanced & Expert Users

*** [Gentoo] sanity check failed! ***

I faced the following error while configuring the spine for cacti. Can any one help me to sort out this problem: hecking how to run the C++ preprocessor... g++ -E checking for g77... g77 checking whether we are using the GNU Fortran 77 compiler... yes checking whether g77 accepts -g... yes... (1 Reply)
Discussion started by: praveen_b744
1 Replies

7. Debian

./configure is broken - /lib/cpp fails sanity check

Hi, I first wanted to install my NIC drivers but it said: Makefile:62: *** Linux kernel source not found. Stop. So I installed the kernel source: linux-source-2.6.18_2.6.18.dfsg.1-13etch5_all.deb 1) cd /usr/src 2) -xjvf linux-source.2.6.18.extension (forget what it was) 3) ln -s... (12 Replies)
Discussion started by: Virtuality
12 Replies

8. UNIX for Advanced & Expert Users

iptables rule to block ping to internet

I want to block ping on a linuxbox to any other address where it would go to the default gateway. vmdebianamd64:/etc/tcng# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 198.9.200.0 * 255.255.255.0 U 0 ... (1 Reply)
Discussion started by: progressdll
1 Replies

Featured Tech Videos