iptable in fc5

[Jay Cliburn]

On Mon, 2006-05-15 at 16:51 -0500, Hongwei Li wrote:

> I want to ask another question -- Why do we need the last line in the file
> iptables:
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> 
> If I comment it out, then everything works.  Will that cause firewall actually
> not functioning?  In fc3,fc4 I don't see similar line in the default firewall
> setting.  Something new in fc5?

If this gets posted twice, I apologize.  I posted the first version over
an hour ago, and I've seen nothing.

You're also going to need to unblock ports for portmapper, mountd,
rquotad, and (maybe) rstatd and nfslockd.  I have no rules for rstatd
and nfslockd, and can nfs3 mount without problems.

Create a file on the server at /etc/sysconfig/nfs that will bind mountd
and rquotad to fixed ports (I use 922 and 923, but you don't have to).

[root at petrel ~]# cat /etc/sysconfig/nfs
export MOUNTD_PORT=922
export RQUOTAD_PORT=923

Then, in /etc/sysconfig/iptables, add the following rules (change the -s
address as appropriate, or remove it altogether):
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT