Re: [Fwbuilder-discussion] Accept rules in table mangle.
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Accept rules in table mangle.
|
From: Niumar A. K. <ni...@so...> - 2008-08-19 14:17:22
|
Ohh right! I understand you! The right way is create two braching rules, one for mangle and a other for filter. Thanks for the help! Em Seg, 2008-08-18 às 21:35 -0700, Vadim Kurland ✎ escreveu: > On Aug 18, 2008, at 10:54 AM, Niumar André Klein wrote: > > > Ok hehehe let me explain better. > > > > On the image01 I checked the option "In addition to filter, create > > branching rule in 'mangle' tables as well" > > > > The image02 has two rules, the first permit ftp to go out and the > > second > > marks http. > > > > I think that Ftp rule don't need mangle table, becouse I don't edit > > it, > > and the default policy for table mangle, chain OUTPUT is ACCEPT, so is > > not necessary a rule to accept. > > > > fwbuilder does not set default policy for chains in the mangle table, > so this ACCEPT is what was there by default. > > > > > The two images annexed produced the "iptables -L -n -t mangle" output: > > > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 > > tcp > > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 > > tcp > > > > Chain tcp_outbound_inet_01 (2 references) > > target prot opt source destination > > ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt: > > 21 > > MARK tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt: > > 80 > > MARK set 0x2 > > > > Note the line "Chain OUTPUT (policy ACCEPT)". > > With this policy I think that is not necessary the rule: > > "ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp > > dpt:21" in the chain "tcp_outbound_inet_01", table mangle, becouse the > > default Policy is ACCEPT and not DROP. > > > > > this iptables command is there because of the rule #0 in your policy > tcp_outbound_inet_01, which explicitly requests ftp to be accepted. > > If you do not want to have a rule in the mangle table that would > accept ftp, then you should not put both rules that match ftp and http > in the same policy and request this policy to be placed in both tables > filter and mangle. Create two separate branching rules and create two > separate policies, one for ftp and another for http. Then request only > one of these policies to be placed in the mangle table. > > However I feel I still might not understand the problem. > > --vk > > > > > > Em Seg, 2008-08-18 às 09:49 -0700, Vadim Kurland ✎ escreveu: > >> On Aug 18, 2008, at 9:48 AM, Niumar André Klein wrote: > >> > >>> Hi! > >>> > >>> I don't know if this is a bug.. > >>> > >>> For Fwbuilder 3.0.0 (build 474), is necessary create ACCEPT rules in > >>> the > >>> table mangle when its Policy is ACCEPT? > >>> In the older versions this don't occur. > >>> > >>> Exemple: to mark a packet in the table mangle, chain OUTPUT. > >> > >> I dont quite understand the problem. Could you provide an example ? > >> > >> --vk > > -- > > Niumar André Klein > > Analista de rede/servidores > > SOLIS - Cooperativa de Soluções Livres > > www.solis.coop.br > > > > < > > image01 > > .jpg > > > > > < > > image02 > > .jpg > > > > > ------------------------------------------------------------------------- > > This SF.Net email is sponsored by the Moblin Your Move Developer's > > challenge > > Build the coolest Linux based applications with Moblin SDK & win > > great prizes > > Grand prize is a trip for two to an Open Source event anywhere in > > the world > > http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ > > Fwbuilder-discussion mailing list > > Fwb...@li... > > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion -- Niumar André Klein Analista de rede/servidores SOLIS - Cooperativa de Soluções Livres www.solis.coop.br |
