Note you should keep discussions copied to the list unless you have a particular reason not to, so that other people can learn from and contribute to the discussion. On Thu, Jan 18, 2007 at 21:35:50 +0100, Kristoffer Gustafsson <kg84@xxxxxxxxxxxxxx> wrote: > Hello! > > Because I'm a blind linux user, I can't use gui applications. > > But The ports I want to open is ftp, port 21. http port 80, port 23 and > port 2222 for telnet. > > What shall i Type in order to open these ports? > > Or to make it easier, is there a way to open every port at once and not > have any closed at all? service iptables stop will turn delete all of the iptables rules. If you are running a really minimal system, you mioght be OK doing that, but I don't recommend it. You can certainly try that for short periods to make sure the iptables rules are what's causing problems for your application. If you set up rules using iptables commands directly, you can save them in a way that the normal fire wall start up will use them at next boot. Just get the rules set up the way you want and then run: service iptables save To see the current list of iptables rules run: iptables -L Below is a set of rules I use for my work station at work. It has some stuff you won't need in it, but it should give you some ideas you can use to make your own set of rules. For adding just one inbound port, you make also want to try editing /etc/sysconfig/iptables . That is where rules are saved. They aren't saved as actual iptables commands, but most of the contents should be what would be the arguments to the iptables command. If you system has something there by default, you should be able to add another allow rule to accept inbound connections on specific ports. #!/bin/sh # Protect network with packet filter rules CERBERUS=129.89.124.28 # Quickly block traffic no matter what the current rules /sbin/iptables -I INPUT -j DROP /sbin/iptables -I FORWARD -j DROP /sbin/iptables -I OUTPUT -j DROP # Set policy to drop all packets /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT DROP # Get rid of all rules and chains so that policy controls apply /sbin/iptables -F /sbin/iptables -X # Keep things blocked while building new rule set /sbin/iptables -I INPUT -j DROP /sbin/iptables -I FORWARD -j DROP /sbin/iptables -I OUTPUT -j DROP # Real rules get defined here # Log and drop /sbin/iptables -N ERROR /sbin/iptables -A ERROR -m limit -j LOG /sbin/iptables -A ERROR -j DROP # Chain to check PRIVATE addresses aren't being used /sbin/iptables -N PRIVATE /sbin/iptables -A PRIVATE -d 255.255.255.255 -j DROP /sbin/iptables -A PRIVATE -d 129.89.124.255 -j DROP /sbin/iptables -A PRIVATE -d 0.0.0.0/8 -j ERROR /sbin/iptables -A PRIVATE -d 127.0.0.0/8 -j ERROR /sbin/iptables -A PRIVATE -d 172.16.0.0/12 -j ERROR /sbin/iptables -A PRIVATE -d 192.168.0.0/16 -j ERROR /sbin/iptables -A PRIVATE -d 169.254.0.0/16 -j DROP /sbin/iptables -A PRIVATE -p igmp -d 224.0.0.1 -j DROP /sbin/iptables -A PRIVATE -d 224.0.0.0/4 -j DROP /sbin/iptables -A PRIVATE -d 10.0.0.0/8 -j ERROR /sbin/iptables -A PRIVATE -s 0.0.0.0/8 -j ERROR /sbin/iptables -A PRIVATE -s 127.0.0.0/8 -j ERROR /sbin/iptables -A PRIVATE -s 172.16.0.0/12 -j ERROR /sbin/iptables -A PRIVATE -s 192.168.0.0/16 -j ERROR /sbin/iptables -A PRIVATE -s 169.254.0.0/16 -j DROP /sbin/iptables -A PRIVATE -s 224.0.0.0/4 -j ERROR /sbin/iptables -A PRIVATE -s 10.0.0.0/8 -j ERROR /sbin/iptables -A INPUT -i ! lo -j PRIVATE /sbin/iptables -A OUTPUT -o ! lo -j PRIVATE /sbin/iptables -A FORWARD -j PRIVATE # Supported services /sbin/iptables -N SERVICES /sbin/iptables -A SERVICES -p icmp --icmp-type redirect -m limit -j LOG /sbin/iptables -A SERVICES -p icmp --icmp-type redirect -j DROP /sbin/iptables -A SERVICES -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A SERVICES -p tcp --dport 22 -j ACCEPT /sbin/iptables -A SERVICES -p tcp --dport 25 -j ACCEPT # bittorrent ports: #/sbin/iptables -A SERVICES -p tcp --dport 6881:6999 -j ACCEPT #/sbin/iptables -A SERVICES -p udp --dport 6881:6999 -j ACCEPT /sbin/iptables -A SERVICES -p tcp -s 129.89.0.0/16 --dport 80 -j ACCEPT /sbin/iptables -A SERVICES -p tcp -s 127.0.0.0/8 --dport 80 -j ACCEPT /sbin/iptables -A SERVICES -p tcp -s 129.89.0.0/16 --dport 443 -j ACCEPT /sbin/iptables -A SERVICES -p tcp -s 127.0.0.0/8 --dport 443 -j ACCEPT /sbin/iptables -A SERVICES -p icmp --icmp-type echo-request -j ACCEPT /sbin/iptables -A SERVICES -p tcp --dport 113 -j REJECT --reject-with tcp-reset /sbin/iptables -A SERVICES -m limit -j LOG /sbin/iptables -A SERVICES -j DROP # Only allow expected outbound protocols /sbin/iptables -N OUTBOUND /sbin/iptables -A OUTBOUND -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTBOUND -p tcp -j ACCEPT /sbin/iptables -A OUTBOUND -p udp -j ACCEPT /sbin/iptables -A OUTBOUND -p icmp --icmp-type echo-request -j ACCEPT /sbin/iptables -A OUTBOUND -m limit -j LOG /sbin/iptables -A OUTBOUND -j DROP # LO /sbin/iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT /sbin/iptables -A INPUT -i lo -s $CERBERUS -d $CERBERUS -j ACCEPT /sbin/iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT /sbin/iptables -A OUTPUT -o lo -s $CERBERUS -d $CERBERUS -j ACCEPT # ETH4 - Connects to the world /sbin/iptables -N ETH4IN /sbin/iptables -A ETH4IN -s $CERBERUS -j ERROR /sbin/iptables -A ETH4IN -d $CERBERUS -j SERVICES /sbin/iptables -A ETH4IN -m limit -j LOG /sbin/iptables -A ETH4IN -j DROP /sbin/iptables -A INPUT -i eth4 -j ETH4IN /sbin/iptables -N ETH4OUT /sbin/iptables -A ETH4OUT -d $CERBERUS -j ERROR /sbin/iptables -A ETH4OUT -s $CERBERUS -j OUTBOUND /sbin/iptables -A ETH4OUT -m limit -j LOG /sbin/iptables -A ETH4OUT -j DROP /sbin/iptables -A OUTPUT -o eth4 -j ETH4OUT # Log any packets dropped for not being in a previous category /sbin/iptables -A INPUT -m limit -j LOG /sbin/iptables -A INPUT -j DROP /sbin/iptables -A FORWARD -m limit -j LOG /sbin/iptables -A FORWARD -j DROP /sbin/iptables -A OUTPUT -m limit -j LOG /sbin/iptables -A OUTPUT -j DROP # Turn network on /sbin/iptables -D INPUT 1 /sbin/iptables -D FORWARD 1 /sbin/iptables -D OUTPUT 1