Re: iptable in fc5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hongwei Li wrote:
Hongwei Li wrote:

Hi,
Sorry that I hit the Send before I finish it.

I have a question about iptables in fc5. I have iptables 1.3.5-1.2
installed.
By default, the iptables has a line
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
... and
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I try to add the port 2049 for our lan nfs by adding aline before the above
reject line:

-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state NEW -m
tcp -p tcp --dport 2049 -j ACCEPT


That rule will only match the initial packet of the stream.  You will
also need to match states ESTABLISHED and RELATED:

-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state
NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT



-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

and restart iptables.  But my other linux boxes cannot mount the exported
folder.  If I stop the iptable, then they can mount it.  I tried to open
several other ports: 137, 139, etc.  But as long as the last line is there,
it
always failed.  If I comment out the last line, then nfs works.


To find out what may be missing you may want to try tcpdump. Make sure to use the -nn option so that ports are displayed as numbers rather than names. This should show you just which ports are being expected.

In the meanwhile, please post the output of iptables-save. This will show us your current firewall settings.

What is "icmp-host-prohibited"

Just what it says.  You are prohibited from accessing this host.


 How to set it to allow some requests?  It
seems that it is different from in fc4. Is there any link for iptables in
fc5
where I can learn more?



I tried:

-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state
NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

and for other ports 137,139 etc. Still the same: as long as the last line is
there, nfs does not work.  Comment it out, problem is gone.

I will try what Arthur suggested; firestarter.  But, I still want to
understand what "icmp-host-prohibited" means and where to set it.
Thanks!

Hongwei


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux