Re: nfs issue...

Pete Nesbitt <pete@xxxxxxxxx> · Thu, 1 Jul 2004 21:14:12 -0700

On July 1, 2004 08:50 pm, bruce wrote:
> pete...
>
> thanks for the input... i have the following /etc/sysconfig/iptables file
>
>
> # Firewall configuration written by lokkit
> # Manual customization of this file is not recommended.
> # Note: ifup-post will punch the current nameservers through the
> #       firewall; such entries will *not* be listed here.
> *filter
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
>
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
>
> but i'm leary of making changes to it directly, as some other app might
> over-ride the changes... is there some way of me determining if there is
> some app that i should be be modifying/looking for, which would create this
> file...
>
> thanks...
>
> bruce
>

The only apps that are going to write to it is the redhat-config-securitylevel  
or the save feature of the  /etc/init.d/iptables ('service iptables save').
As long as you have a backup copy, you can always restore. Also, if I am 
reading that ruleset properly, it looks like most things are open (but I am 
not familiar with that formating).

Anyway, just comment out the two existing "2049 reject" lines and add them in 
as accepts.

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049  -j ACCEPT
# -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
# -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT

After editing the file, run 'service iptables restart' to kick the changes 
into gear.

If this system is accessed from beyond a trusted LAN, I would look seriously 
at implementing something a little stronger for the firewall rules.
-- 
Pete Nesbitt, rhce

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list