How to unset up the firewall... :-)
Fabrício Santos
fabricio.santos at quicknet.nl
Sat Mar 27 23:41:20 UTC 2004
Viva Alexander,
Thanks for your answer.
> Please, do NOT send HTML to the list!
Your wish is my command... I couldn't find the option for doing so in Yahoo
mail so here I go with my home email...
> Is your Fedora machine a router for you or behind a router?
> Is then SSH and HTTPD running directly connected to the
> net or behind a router?
Fedora is behind the router. Hence the packet trace showing a source IP on
the internet 13.13.13.13 and the destination 192.168.1.1 as port forwarding
had already been applied. It may be a bit confusing but my router is not
192.168.1.1... :-) It was the router before I got myself a wireless router
switch and it kept using that same IP after that.
> You can check which iptables rules are active by issuing the command
> "iptables -L -v -n". If you run a "service iptables stop" then under
> default circumstances there should be no rule left and filtering.
>
> Alexander
I didn't really look at the iptables man page but when I try the command you
gave me I believe everything seems to be ok and all kinds of traffic should
be accepted:
===============================================
[root at somehost root]# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
===============================================
But nevertheless connects are still not responded too (using tethereal this
time as the output is more readable):
===============================================
[root at somehost root]# tethereal -n port 8080
Capturing on eth0
0.000000 13.13.13.13 -> 192.168.1.1 TCP 42443 > 8080 [SYN] Seq=953358288
Ack=0 Win=5840 Len=0
2.994874 13.13.13.13 -> 192.168.1.1 TCP 42443 > 8080 [SYN] Seq=953358288
Ack=0 Win=5840 Len=0
===============================================
If I stop iptables using the init.d script:
===============================================
[root at somehost root]# /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
===============================================
I still get the same result and no answer to the TCP SYNs. Now, if I try it
from inside my network it works fine:
===============================================
[root at somehost root]# tethereal port 8080
Capturing on eth0
0.000000 192.168.1.2 -> 192.168.1.1 TCP 1958 > webcache [SYN]
Seq=1296792560 Ack=0 Win=64512 Len=0
0.000142 192.168.1.1 -> 192.168.1.2 TCP webcache > 1958 [SYN, ACK]
Seq=947748956 Ack=1296792561 Win=5840 Len=0
0.000328 192.168.1.2 -> 192.168.1.1 TCP 1958 > webcache [ACK]
Seq=1296792561 Ack=947748957 Win=64512 Len=0
0.000686 192.168.1.2 -> 192.168.1.1 HTTP GET /ddb/ HTTP/1.1
...
===============================================
In this set of examples I used HTTP for testing and only change I did to
the HTTPD config was adding this virtual host session to the end of
httpd.conf:
===============================================
NameVirtualHost 192.168.1.1:8080
<VirtualHost 192.168.1.1:8080>
ServerAdmin fabricio.santos at quicknet.nl
DocumentRoot /var/www/html/somehost
ServerName somehost.homeip.net
ServerAlias somehost.homeip.net
ErrorLog logs/somehost.homeip.net-error_log
CustomLog logs/somehost.homeip.net-access_log common
</VirtualHost>
===============================================
And besides I get the same result when using SSH on port 6666. For SSH the
only change I did was to add a line in the /etc/init.d/sshd script:
===============================================
OPTIONS="-p 6666"
===============================================
I'm really clueless here... :-/ so thanks in advance for any help.
PS. I hope formating will be ok now... O:-) And sorry for the long email.
-fs
More information about the users
mailing list