On Wed, 2004-10-20 at 10:50, Jeremy Conlin wrote: > On 2004-10-19 14:02:10 -0400, Volker Kindermann <ml@xxxxxxxx> said: > > > > you need a rule such as > > $IPTABLES -A INPUT -p tcp -d <linuxmachine> --destination-port 5901 -m > > state --state NEW -j ACCEPT > > > > (all one line) > > > > and something like > > > > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > where $IPTABLES is the path to the iptables binary. > > Well... > I tried to do those four commands, but it didn't work. When I tried to > connect via my VNC client it said connection refused. :( Does the > iptables command change/write to the /etc/sysconfig/iptables file? > Isn't this what defines what comes in and out? Sorry if my questions > are so basic; this is far outside my area of expertise. > Thanks, > Jeremy > To get logging output you need to tell iptables to do this. You will need to add corresponding logging commands to each command you add to see its effect: $IPTABLES -A INPUT -p tcp -d <linuxmachine> --destination-port 5901 -m state --state NEW -j LOG --log-prefix "whatever you want to see in your log" --log-level DEBUG $IPTABLES -A INPUT -p tcp -d <linuxmachine> --destination-port 5901 -m state --state NEW -j ACCEPT Or something like that. A man of iptables will give you the options of log-level you can use. Also, you can only use 29 char or something odd like that in your log-prefix (this is what will be added to your log file entry to identify where the log message is from). From my kernel file for example, I have: Oct 11 21:20:36 linuxmachine kernel: DROP TCP PKT IN=eth0 OUT= MAC=00:03:47:d0:3b:cb:00:90:d0:89:c7:fe:08:00 SRC=203.51.164.155 DST=192.168.79.254 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=62719 DF PROTO=TCP SPT=4236 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 The log-prefix is "DROP TCP PKT IN " so this entry is easily identified in the iptables file. The log-level here is "info". Just one caution - limit the use of logging, esp to start with, otherwise you will end up with a HUGE kernel file and won't be able to keep track of all the messages (been there done that ;D ) ta, gb
