I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86: some tenants enable/use iptables while some disable/don't; similarly for Solaris x86 tenants. I have a common service which I need to permit rules in iptables (for RHEL VMs) regardless of whether the tenant is currently using iptables or not (ie just leave the rules there & if one day the tenant decides to enable/use iptables, the rules to allow the common service will have been there). Requirements: ========== a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM By "current tenant VM", it needs to be applied on all the network interfaces. Are the commands below correct? # /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b -j ACCEPT # /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j ACCEPT # /sbin/service iptables save <== this creates /etc/sysconfig/iptables if it's absent? ****************************************************************************************** Sorry this is off-topic for Solaris iptables but appreciate anyone who can help*:* I refer to examples in links below but I'm still confused: http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html Q1: So do I just add the following lines to the top (not the bottom, right? ) of /etc/ipf/ipf.conf ? pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces" to 172.21.a.b port = 4120 keep state Q2: What's the the purpose of "quick" in the above rules? What's the difference if it's absent or present? Q3: As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the above rules with actual global value: I reckon there must be an actual Solaris implementation value that refers to "all interfaces"; if there's none, let me know so that I can repeat it four times for all the four interfaces Q4: What's the purpose of "keep state"? is it needed in my case? Q5: if ipf.conf is not present in /etc/ipf folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter') is offline? Q6: if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used, the rules will already be there? If ipfilter is offline, no harm creating ipf.conf, right? Did I miss out anything in my assumptions? -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
