-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30 Oct 2002 12:34:37 -0600, Alejandro González Hernández - Imoq wrote: > On Wed, 2002-10-30 at 12:09, Michael Schwendt wrote: > > > Without knowing the rest of your rules, I cannot comment on this. > > For instance, for DNAT to work, you would also need a corresponding > > rule in the FORWARD chain. For the localhost example to work, you > > would need a corresponding rule in the INPUT chain. > > I knew I was missing something! > > The rest of the rules are the ones that lokkit defined, deny > everything except what I accept; currently iptables look like this: > > [root@imoqland root]# cat /etc/sysconfig/iptables > # Generated by iptables-save v1.2.6a on Wed Oct 30 11:18:39 2002 > *mangle > :PREROUTING ACCEPT [173470:39522072] > :INPUT ACCEPT [128399:32986145] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [46517:5592160] > :POSTROUTING ACCEPT [49043:5890524] > COMMIT > # Completed on Wed Oct 30 11:18:39 2002 > # Generated by iptables-save v1.2.6a on Wed Oct 30 11:18:39 2002 > *nat > :PREROUTING ACCEPT [84144:12249623] > :POSTROUTING ACCEPT [5474:492754] > :OUTPUT ACCEPT [5474:492754] > [0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination > 192.168.105.220:80 > COMMIT > # Completed on Wed Oct 30 11:18:39 2002 > # Generated by iptables-save v1.2.6a on Wed Oct 30 11:18:39 2002 > *filter > :INPUT ACCEPT [18167:16391252] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [46516:5592045] > :RH-Lokkit-0-50-INPUT - [0:0] > [128398:32986080] -A INPUT -j RH-Lokkit-0-50-INPUT > [23322:2529889] -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 53 -j > ACCEPT > [0:0] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags > SYN,RST,ACK SYN -j ACCEPT > [770:103971] -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT > [76628:12914684] -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT > [0:0] -A RH-Lokkit-0-50-INPUT -s 192.168.1.169 -p udp -m udp --sport > 53-j ACCEPT > [82:5760] -A RH-Lokkit-0-50-INPUT -s some.ip -p udp -m udp --sport 53 > -j ACCEPT > [73:4474] -A RH-Lokkit-0-50-INPUT -s some.other.ip -p udp -m udp > --sport 53 -j ACCEPT > [1054:54676] -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags > SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable > [8302:981374] -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT > --reject-with icmp-port-unreachable > COMMIT > # Completed on Wed Oct 30 11:18:39 2002 > > So, what are the rules in the FORWARD/INPUT chains that are missing? iptables -I RH-Lokkit-0-50-INPUT 5 -p tcp --dport 80 -j ACCEPT I don't know why I reply to this message. :) You should also tell where 192.168.105.220 is located. I need to guess too much. A rule in the FORWARD chain would be necessary if 192.168.105.220 is a remote host. It seems it isn't. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE9wDMI0iMVcrivHFQRAoK0AJkB3zEbMlPKoq/4D6FxlfpUF1CQLwCeJlx/ Kaj2znibTBRgCy1GhURMqMY= =0TsH -----END PGP SIGNATURE----- -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
