iptable in fc5

jdow jdow at earthlink.net
Mon May 15 23:42:06 UTC 2006


From: "Arthur Pemberton" <pemboa at gmail.com>

> On 5/15/06, Hongwei Li <hongwei at wustl.edu> wrote:
>> > On 5/15/06, Hongwei Li <hongwei at wustl.edu> wrote:
>> >> Hi,
>> >>  Sorry that I hit the Send before I finish it.
>> >>
>> >>  I have a question about iptables in fc5. I have iptables 1.3.5-1.2
>> >> installed.
>> >>  By default, the iptables has a line
>> >>  -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>> >>  ... and
>> >>  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>> >>
>> >>  I try to add the port 2049 for our lan nfs by adding aline before the above
>> >>  reject line:
>> >>
>> >> -A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state NEW -m
>> >> tcp -p tcp --dport 2049 -j ACCEPT
>> >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>> >>
>> >> and restart iptables.  But my other linux boxes cannot mount the exported
>> >> folder.  If I stop the iptable, then they can mount it.  I tried to open
>> >> several other ports: 137, 139, etc.  But as long as the last line is there,
>> >> it
>> >> always failed.  If I comment out the last line, then nfs works.
>> >>
>> >> What is "icmp-host-prohibited"?  How to set it to allow some requests?  It
>> >> seems that it is different from in fc4. Is there any link for iptables in
>> >> fc5
>> >> where I can learn more?
>> >>
>> >> Thanks!
>> >>
>> >> Hongwei
>> >>
>> > Have you tried the GUI configuration tool?
>> >
>>
>> Yes, the same problem.  The other main problem of the gui tool is that it does
>> not provide some required options, e.g. I want to open a port (say 2049, 137,
>> 139) ONLY to my lan, but the gui tool does have place to enter "source",
>> "destination", etc. It only provides port number and tcp/udp selection.  How
>> to do it with source/destination?
>>
>> Thanks.
>>
>> Hongwei
>>
> 
> Then it sounds like you need a more powerful firewall configuring
> program. Try firestarter
> 
> `yum install firestarter` should get you what you want. I would first
> disable the Fedora based firewall before using Firestarter.

Aw heck, answer the poor guy's question not what you think his
question was.

iptables uses the first rule that hits a message. Therefore adding
his new rules AFTER the default blanket reject rule is not going to
do him any good. Put it in front of the blanket reject rule to make
it work. (There MAY be SELinux issues as well. But that is another
topic.)

{^_^}




More information about the users mailing list