Re: Please respond!!! Re: udp port 69 (tftp) unreachable

Michael Schwendt <ms0301rh@xxxxxxxx> · Thu, 8 May 2003 11:40:30 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 07 May 2003 23:43:51 +0000, Michael Anburaj wrote:

> Contents of /etc/sysconfig/iptables:
> 
> # Firewall configuration written by lokkit
> # Manual customization of this file is not
> recommended.
> # Note: ifup-post will punch the current nameservers
> through the
> #       firewall; such entries will *not* be listed
> here.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A FORWARD -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport
> 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport
> 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023
> --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049
> --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023
> -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j
> REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport
> 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100
> --syn -j REJECT
> COMMIT
> 
> 
> Which lines do you want me to take out? Or should I use a utility to 
> configure the firewall? If so, what is its name?

Now you see why it would be better if you looked at your rules with
the "iptables-save" command instead of "iptables -L". Don't use
"iptables -L" if you're unfamiliar with iptables.

It's the following rule that blocks UDP access to ports 0-1023:

> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT

But if you took it out, you would open _all_ those ports. Hence
you might want to insert the following after the lines that
open ports 67:68:

  -A RH-Lokkit-0-50-INPUT -p udp -m udp -i eth0 --dport tftp -j ACCEPT

Then reload the rules with "service iptables restart" or insert
the new rule at run-time on the command-line with:

  iptables -I RH-Lokkit-0-50-INPUT -p udp -m udp -i eth0 --dport tftp -j ACCEPT

- -- 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+uiYO0iMVcrivHFQRAiwoAJ9ZJqbhTviuw1QNhncbG+WRYXMJBQCeKo9R
rrf2shJgMfwKWmtyAxt41ls=
=RWpw
-----END PGP SIGNATURE-----