Thank you for response.
What I was asking was: You've got an existing set of IpTable rules and you
have a set of current/active connections that are governed by those rules.
If you then change the rules, what happens to the existing connections?
Are they still associated with the old rules or are the new rules applied.
If an old rule says that a connection from a particular machine is allowed
and you currently have such a connection and then you install new rules
that disallow connections from that machine - will the existing connection
be terminated or still remain open?
RME
jludwig wrote:
On Thursday 19 January 2006 17:56, Richard Emberson wrote:
What happens to existing connections if one reconfigures the
machine's IpTables?
Add a new rule?
Remove a rule?
Blow away configuration and set a new one?
Add a host/port mapping?
Remove a host/port mapping?
Thanks
RME
--
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies of the original message.
Note:!!! This information is not complete.
If I understand what you are asking;
Iptables is the firewall program. Typically you can affect routing only by
blocking or allowing data packets in or through the machine where it is
implemented.
Routing is done by the route command and the network configuration files S.A.
/etc/sysconfig/network-scripts/
fcfg-eth0, ifdown-aliases, ifdown-ppp, ifup, ifup-routes, ifup-wireless
and
/etc/
resolv.conf, hosts, which tells the kernel et al where to send the data
packets and/or look for the address information.
Also for the system to pass data packets through the
system /proc/sys/net/ipv4/ip_forward has to be set to '1'
S.A.
echo 1 > /proc/sys/net/ipv4/ip_forward
or setting in /etc/sysctl.conf;
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
If the iptables rule set is not correct or ordered correctly though, there is
a good chance that the connection will be denied or possibly degraded.
To see what rules are being used try as root;
iptables -vnL
A sample of mine;
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0
127.0.0.0/8 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
11441 8822K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 DROP all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 REJECT all -- eth0 * 192.168.14.0/24 0.0.0.0/0
reject-with icmp-port-unreachable
24 2208 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8 limit: avg 1/sec burst 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 DROP icmp -- * * 0.0.0.0/0
192.168.14.255
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
38 3468 REJECT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 reject-with icmp-port-unreachable
0 0 ACCEPT udp -- * * 68.48.0.13 0.0.0.0/0
udp spt:53
0 0 ACCEPT udp -- * * 68.48.0.6 0.0.0.0/0
udp spt:53
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1433 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `F
--
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies of the original message.
