Can't establish connection -
Bob Goodwin
bobgoodwin at wildblue.net
Wed May 26 14:09:44 UTC 2010
On 26/05/10 09:54, Bob Goodwin wrote:
> On 26/05/10 04:09, Tim wrote:
>> On Tue, 2010-05-25 at 16:19 -0700, Rick Stevens wrote:
>>> If you want to log ALL new connections from box6 (remember that the
>>> "-s" bit is specifying connections coming FROM box6), use the "-I"
>>> version.
>> Yes, and you certainly want any logging rules before any ignoring rules,
>> because not only will such connections be ignored (not connecting),
>> they'll never get logged, either.
>>
>> On the other hand, if you want to log things that got past your
>> firewall, then you do want logging rules set after firewall rules.
>>
>
> Well then if line location is important what I need is to be able to
> add/modify the iptables file with a text editor, not via some
> command. What is the name of the file I need to work on?
>
> I'll look for it, see what I can find.
>
> Thanks.
>
> Bob
>
>
>
>
less /etc/sysconfig/iptables Produces the following. Is this the
file I need to work on? It looks "simpler" than I expected but I am
admonished not to "customize" it manually?
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 8000:8005 -j
ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5198:5200 -j
ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
~
~
~
Bob
--
More information about the users
mailing list