iptable in fc5
Jay Cliburn
jacliburn at bellsouth.net
Mon May 15 22:09:06 UTC 2006
On Mon, 2006-05-15 at 16:51 -0500, Hongwei Li wrote:
> I want to ask another question -- Why do we need the last line in the file
> iptables:
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
> If I comment it out, then everything works. Will that cause firewall actually
> not functioning? In fc3,fc4 I don't see similar line in the default firewall
> setting. Something new in fc5?
If this gets posted twice, I apologize. I posted the first version over
an hour ago, and I've seen nothing.
You're also going to need to unblock ports for portmapper, mountd,
rquotad, and (maybe) rstatd and nfslockd. I have no rules for rstatd
and nfslockd, and can nfs3 mount without problems.
Create a file on the server at /etc/sysconfig/nfs that will bind mountd
and rquotad to fixed ports (I use 922 and 923, but you don't have to).
[root at petrel ~]# cat /etc/sysconfig/nfs
export MOUNTD_PORT=922
export RQUOTAD_PORT=923
Then, in /etc/sysconfig/iptables, add the following rules (change the -s
address as appropriate, or remove it altogether):
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
More information about the users
mailing list