Re: iptable in fc5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Hongwei Li wrote:
>>>Hongwei Li wrote:
>>>
>>>>Hi,
>>>> Sorry that I hit the Send before I finish it.
>>>>
>>>> I have a question about iptables in fc5. I have iptables 1.3.5-1.2
>>>>installed.
>>>> By default, the iptables has a line
>>>> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>>>> ... and
>>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>>>
>>>> I try to add the port 2049 for our lan nfs by adding aline before the
>>>> above
>>>> reject line:
>>>>
>>>>-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state NEW
>>>> -m
>>>>tcp -p tcp --dport 2049 -j ACCEPT
>>>
>>>
>>>That rule will only match the initial packet of the stream.  You will
>>>also need to match states ESTABLISHED and RELATED:
>>>
>>>-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -m state --state
>>>NEW,ESTABLISHED,RELATED -p tcp --dport 2049 -j ACCEPT
>>>
>>>
>>>
>>>>-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>>>
>>>>and restart iptables.  But my other linux boxes cannot mount the exported
>>>>folder.  If I stop the iptable, then they can mount it.  I tried to open
>>>>several other ports: 137, 139, etc.  But as long as the last line is there,
>>>>it
>>>>always failed.  If I comment out the last line, then nfs works.
>>>>
>
> To find out what may be missing you may want to try tcpdump.  Make sure
> to use the -nn option so that ports are displayed as numbers rather than
> names.  This should show you just which ports are being expected.
>
> In the meanwhile, please post the output of iptables-save.  This will
> show us your current firewall settings.
>
>>>>What is "icmp-host-prohibited"
>
> Just what it says.  You are prohibited from accessing this host.
>
>

I don't know if the output of tcpdump -nn helps or not:
...
16:02:40.803697 IP 128.252.85.35.22 > 128.252.85.103.2167: P
576512:576656(144) ack 6721 win 32767
16:02:40.803721 IP 128.252.85.103.2167 > 128.252.85.35.22: . ack 576000 win 65535
16:02:40.803761 IP 128.252.85.35.22 > 128.252.85.103.2167: P
576656:576800(144) ack 6721 win 32767
16:02:40.803802 IP 128.252.85.35.22 > 128.252.85.103.2167: P
576800:577024(224) ack 6721 win 32767
16:02:40.803841 IP 128.252.85.35.22 > 128.252.85.103.2167: P
577024:577168(144) ack 6721 win 32767
16:02:40.803881 IP 128.252.85.35.22 > 128.252.85.103.2167: P
577168:577312(144) ack 6721 win 32767
16:02:40.803921 IP 128.252.85.35.22 > 128.252.85.103.2167: P
577312:577456(144) ack 6721 win 32767
16:02:40.803961 IP 128.252.85.35.22 > 128.252.85.103.2167: P
577456:577600(144) ack 6721 win 32767
16:02:40.803970 IP 128.252.85.103.2167 > 128.252.85.35.22: . ack 577024 win 64511
16:02:40.804023 IP 128.252.85.35.22 > 128.252.85.103.2167: P
577600:577744(144) ack 6721 win 32767
16:02:40.804065 IP 128.252.85.35.22 > 128.252.85.103.2167: P
577744:577968(224) ack 6721 win 32767
16:02:40.804105 IP 128.252.85.35.22 > 128.252.85.103.2167: P
577968:578112(144) ack 6721 win 32767
16:02:40.804145 IP 128.252.85.35.22 > 128.252.85.103.2167: P
578112:578256(144) ack 6721 win 32767
16:02:40.804185 IP 128.252.85.35.22 > 128.252.85.103.2167: P
578256:578400(144) ack 6721 win 32767
16:02:40.804210 IP 128.252.85.103.2167 > 128.252.85.35.22: . ack 577744 win 65535
16:02:40.804249 IP 128.252.85.35.22 > 128.252.85.103.2167: P
578400:578544(144) ack 6721 win 32767
16:02:40.804290 IP 128.252.85.35.22 > 128.252.85.103.2167: P
578544:578768(224) ack 6721 win 32767
...

Here is iptables-save output:

# Generated by iptables-save v1.3.5 on Mon May 15 15:59:18 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:okay - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 128.252.85.35 -j ACCEPT
-A RH-Firewall-1-INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -s 128.252.85.35 -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp
--dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp
--dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp
--dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -p tcp -m state --state
NEW,RELATED,ESTABLISHED -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 128.252.85.0/255.255.255.0 -p udp -m state --state
NEW,RELATED,ESTABLISHED -m udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A okay -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon May 15 15:59:18 2006

I just added udp for nfs port, but still the same problem.
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux