On Thursday 19 January 2006 17:56, Richard Emberson wrote:
> What happens to existing connections if one reconfigures the
> machine's IpTables?
> Add a new rule?
> Remove a rule?
> Blow away configuration and set a new one?
> Add a host/port mapping?
> Remove a host/port mapping?
>
> Thanks
>
> RME
>
> --
> This email message is for the sole use of the intended recipient(s) and
> may contain confidential information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all
> copies of the original message.
Note:!!! This information is not complete.
If I understand what you are asking;
Iptables is the firewall program. Typically you can affect routing only by
blocking or allowing data packets in or through the machine where it is
implemented.
Routing is done by the route command and the network configuration files S.A.
/etc/sysconfig/network-scripts/
fcfg-eth0, ifdown-aliases, ifdown-ppp, ifup, ifup-routes, ifup-wireless
and
/etc/
resolv.conf, hosts, which tells the kernel et al where to send the data
packets and/or look for the address information.
Also for the system to pass data packets through the
system /proc/sys/net/ipv4/ip_forward has to be set to '1'
S.A.
echo 1 > /proc/sys/net/ipv4/ip_forward
or setting in /etc/sysctl.conf;
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
If the iptables rule set is not correct or ordered correctly though, there is
a good chance that the connection will be denied or possibly degraded.
To see what rules are being used try as root;
iptables -vnL
A sample of mine;
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0
127.0.0.0/8 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
11441 8822K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 REJECT all -- eth0 * 192.168.14.0/24 0.0.0.0/0
reject-with icmp-port-unreachable
24 2208 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8 limit: avg 1/sec burst 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 DROP icmp -- * * 0.0.0.0/0
192.168.14.255
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
38 3468 REJECT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 reject-with icmp-port-unreachable
0 0 ACCEPT udp -- * * 68.48.0.13 0.0.0.0/0
udp spt:53
0 0 ACCEPT udp -- * * 68.48.0.6 0.0.0.0/0
udp spt:53
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1433 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `F
