Re: iptable in fc5
- From: "Christopher K. Johnson" <ckjohnson@xxxxxxx>
- Date: Tue, 16 May 2006 13:43:58 -0400
Hongwei Li wrote:
The difference is performance. Once a connection table entry is established all subsequent packets will be accepted when the ESTABLISHED,RELATED... rule is hit. So placing that near the top, and rules to decide what new connections to permit below it shorten the rules traversed for the majority of packets.On Mon, 2006-05-15 at 14:27 -0500, Hongwei Li wrote:
Hi,You're also going to need to unblock ports for portmapper, mountd,
I have a question about iptables in fc5. I have iptables 1.3.5-1.2
installed.
By default, the iptables has a line
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
... and
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
I try to add the port 2049 for our lan nfs by adding aline before the above
reject line:
rquotad, and (maybe) rstatd and nfslockd. I don't use the last two on
my home systems.
Create a file on the server at /etc/sysconfig/nfs that will bind mountd
and rquotad to fixed ports (I use 922 and 923, but you don't have to).
[root@petrel ~]# cat /etc/sysconfig/nfs
export MOUNTD_PORT=922
export RQUOTAD_PORT=923
Then, in /etc/sysconfig/iptables, add the following rules (change the -s
address as appropriate, or remove it altogether):
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Thanks a lot for you and Chris's help, I created /etc/sysconfig/nfs, did what
you suggested and now it is working.
A few more quations about iptables setting:
1. What's difference if I put some lines like
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
before line
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
or put it in between it and the following line:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
2. When do we need to include "-m state --state NEW" or "-m state --stateDefinitely different. If you allow all state NEW packets you are not acting like a firewall because you are allowing any and all connections.
NEW,ESTABLISHED,RELATED" or "-m state --state ESTABLISHED,RELATED" in a line?
Will they cause different functions?
Stick to the accept on ESTABLISHED,RELATED for bulk of packets on already permitted connections, and the use of NEW in rules that you are evaluating whether to accept a connection or not based on what the source and/or destination address/port are.
3. For those lines with "-m state --state NEW" etc., should I put them beforeAfter - the same reason as question 1. Not because you have to to make it work, but because doing so is more efficient.
line
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
or after it?
Thanks!
Hongwei
--
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #804005699817957
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Follow-Ups:
- Re: iptable in fc5
- From: Hongwei Li
- Re: iptable in fc5
- References:
- iptable in fc5
- From: Hongwei Li
- Re: iptable in fc5
- From: Jay Cliburn
- Re: iptable in fc5
- From: Hongwei Li
- iptable in fc5
- Prev by Date: RE: world clock application for FC5/Gnome?
- Next by Date: Re: Save current setup in FC5
- Previous by thread: Re: iptable in fc5
- Next by thread: Re: iptable in fc5
- Index(es):
Relevant Pages
|
|
