[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: iptable in fc5



Hongwei Li wrote:
Hongwei Li wrote:

Hi,
Sorry that I hit the Send before I finish it.

I have a question about iptables in fc5. I have iptables 1.3.5-1.2
installed.
By default, the iptables has a line
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
... and
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I try to add the port 2049 for our lan nfs by adding aline before the above
reject line:

-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state NEW -m
tcp -p tcp --dport 2049 -j ACCEPT


That rule will only match the initial packet of the stream.  You will
also need to match states ESTABLISHED and RELATED:

-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state
NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT



-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

and restart iptables.  But my other linux boxes cannot mount the exported
folder.  If I stop the iptable, then they can mount it.  I tried to open
several other ports: 137, 139, etc.  But as long as the last line is there,
it
always failed.  If I comment out the last line, then nfs works.


To find out what may be missing you may want to try tcpdump. Make sure to use the -nn option so that ports are displayed as numbers rather than names. This should show you just which ports are being expected.

In the meanwhile, please post the output of iptables-save. This will show us your current firewall settings.

What is "icmp-host-prohibited"

Just what it says.  You are prohibited from accessing this host.


 How to set it to allow some requests?  It
seems that it is different from in fc4. Is there any link for iptables in
fc5
where I can learn more?



I tried:

-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state
NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

and for other ports 137,139 etc. Still the same: as long as the last line is
there, nfs does not work.  Comment it out, problem is gone.

I will try what Arthur suggested; firestarter.  But, I still want to
understand what "icmp-host-prohibited" means and where to set it.
Thanks!

Hongwei



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]