[plug] iptables questions

Fred Janon fjanon at yahoo.com
Wed Sep 29 17:19:23 WST 2010

 enablingThanks, it helps a lot. So I should just flush the iptables and keep working on the ISP firewall. I thought that I configured the firewall to let ping and traceroute packets in with udp ports 33434 to 33534 and icmp.

Last time I asked, my ISP (TPG) was letting everything through.

More questions then:

- Is there processes that listen to the pings and traceroute request by default or do I need to start them? (I know, it is probably different for all linux distribs and installs)

- are there iptables for root and each user???

Thanks for being more precise.


--- On Wed, 9/29/10, Daniel Pittman <daniel at rimspace.net> wrote:

From: Daniel Pittman <daniel at rimspace.net>
Subject: Re: [plug] iptables questions
To: plug at plug.org.au
Date: Wednesday, September 29, 2010, 5:00 PM

Fred Janon <fjanon at yahoo.com> writes:

> I am trying to understand how iptables work. I have a CentOS install and I
> am trying to enable ping/tracert on that instance. I don't understand if
> every port is open or closed by default on that instance?

The behaviour of iptables when there isn't a rule is called the "policy", and
as you can see from your output...

> $ sudo iptables -L -n
> Chain INPUT (policy ACCEPT)

...the INPUT chain has a policy of ACCEPT.  So, if no rules match the packet
the policy is to accept it.  The rest of the chains are left as an exercise
for the reader.

> What does an empty rule mean?

There is no such thing as "an empty rule".  You *can* talk about an empty
table, in which case it means one of two things:

If it is a root table (eg: INPUT, FORWARD, OUTPUT, and related) then the
default behaviour is as per the policy.

If it is a user-defined table then the behaviour is to return to the calling
table and proceed from the rule following the caller.

> Every port opne or every port clodes?

It might be worth noting that a port being "open" or "closed" is actually
using a bit of network jargon incorrectly.  While I know you mean "is the
firewall letting packets through", it usually refers to "is there a process
listening for packets on that protocol and port?"

"blocked", or "firewalled", would be more typical ways to express what that
question is asking, and that might help with confusion when talking to other
folks about it. :)


> After some research, I did this to try to enable PINGs. The server IP is
> ---------------------------
> $ SERVER_IP=""
> $ sudo iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d


> The tracert or ping still time out.

traceroute uses UDP packets, not ICMP, but whatever the cause of your problem,
it isn't the firewall rules.  :)

I don't know why they are not getting between your client and your server, but
the firewall is allowing them through.  I would suggest you check if your
hosting provider has any firewall in place, and that your ISP and local router
are not blocking the requests.

✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons
PLUG discussion list: plug at plug.org.au
Committee e-mail: committee at plug.linux.org.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20100929/576afbcd/attachment.html>

More information about the plug mailing list