Re: firewall question

a arias <aarias239@xxxxxxxxx> · Mon, 3 Aug 2009 13:21:13 -0400

This is because you have the following rules declared:

-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

You should not use these rules because iptables will mark this traffic as valid and will not even try to match any rule defined later in the table. If you want to accept all traffic from you LAN (assuming eth1 is the private interface), you can still use this rule

-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

Also, you only need one of these:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

On Mon, Aug 3, 2009 at 1:06 PM, Jerry Geis <geisj@xxxxxxxxxxxxxxx> wrote:

My firewall config is below...

I am trying to figure out why another machine has access to port 5038 on

my machine

based on these firewall rules.

I thought the reject at the bottom would take care of all other ports?

It does not.

I have restarted with "server iptables restart" and same thing. I can

connect from another machine

to my machine on port 5038. How do I prevent this?

Jerry

---------------------------------

This is my firewall:

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 69 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 69 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6540

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6500

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6510

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6520

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5060

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5036

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4569

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1720

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4520

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j

ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5900

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2000

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2000

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5353

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5353

-j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6544

-j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

_______________________________________________

CentOS mailing list

CentOS@xxxxxxxxxx

http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos