> Hongwei Li wrote: >> Hi, >> Sorry that I hit the Send before I finish it. >> >> I have a question about iptables in fc5. I have iptables 1.3.5-1.2 >> installed. >> By default, the iptables has a line >> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT >> ... and >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> >> I try to add the port 2049 for our lan nfs by adding aline before the above >> reject line: >> >> -A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state NEW -m >> tcp -p tcp --dport 2049 -j ACCEPT > > > That rule will only match the initial packet of the stream. You will > also need to match states ESTABLISHED and RELATED: > > -A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state > NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT > > >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> >> and restart iptables. But my other linux boxes cannot mount the exported >> folder. If I stop the iptable, then they can mount it. I tried to open >> several other ports: 137, 139, etc. But as long as the last line is there, >> it >> always failed. If I comment out the last line, then nfs works. >> >> What is "icmp-host-prohibited"? How to set it to allow some requests? It >> seems that it is different from in fc4. Is there any link for iptables in >> fc5 >> where I can learn more? >> I tried: -A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited and for other ports 137,139 etc. Still the same: as long as the last line is there, nfs does not work. Comment it out, problem is gone. I will try what Arthur suggested; firestarter. But, I still want to understand what "icmp-host-prohibited" means and where to set it. Thanks! Hongwei