Re: iptable in fc5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "Arthur Pemberton" <pemboa@xxxxxxxxx>


On 5/15/06, Hongwei Li <hongwei@xxxxxxxxx> wrote:

> On 5/15/06, Hongwei Li <hongwei@xxxxxxxxx> wrote:
>> Hi,
>>  Sorry that I hit the Send before I finish it.
>>
>>  I have a question about iptables in fc5. I have iptables 1.3.5-1.2
>> installed.
>>  By default, the iptables has a line
>>  -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>>  ... and
>>  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>
>>  I try to add the port 2049 for our lan nfs by adding aline before the above
>>  reject line:
>>
>> -A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state NEW -m
>> tcp -p tcp --dport 2049 -j ACCEPT
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>
>> and restart iptables.  But my other linux boxes cannot mount the exported
>> folder.  If I stop the iptable, then they can mount it.  I tried to open
>> several other ports: 137, 139, etc.  But as long as the last line is there,
>> it
>> always failed.  If I comment out the last line, then nfs works.
>>
>> What is "icmp-host-prohibited"?  How to set it to allow some requests?  It
>> seems that it is different from in fc4. Is there any link for iptables in
>> fc5
>> where I can learn more?
>>
>> Thanks!
>>
>> Hongwei
>>
> Have you tried the GUI configuration tool?
>

Yes, the same problem.  The other main problem of the gui tool is that it does
not provide some required options, e.g. I want to open a port (say 2049, 137,
139) ONLY to my lan, but the gui tool does have place to enter "source",
"destination", etc. It only provides port number and tcp/udp selection.  How
to do it with source/destination?

Thanks.

Hongwei



Then it sounds like you need a more powerful firewall configuring
program. Try firestarter

`yum install firestarter` should get you what you want. I would first
disable the Fedora based firewall before using Firestarter.


Aw heck, answer the poor guy's question not what you think his
question was.

iptables uses the first rule that hits a message. Therefore adding
his new rules AFTER the default blanket reject rule is not going to
do him any good. Put it in front of the blanket reject rule to make
it work. (There MAY be SELinux issues as well. But that is another
topic.)

{^_^}

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux