IPTABLES doesn't work

Michael Kearey mutk at iprimus.com.au
Fri Jan 30 04:07:27 UTC 2004


smoothmilk wrote:
> heh, considering that RH includes this tool and it doesnt work out of
> the box, I'd say it should be a concern to the people who could possibly
> fix that, perhaps those people read this list. I mean, when you install
> fedora/redhat, it says do u want a firewall? If you choose yes, (which i
> did) it's not going to do anything--even something very very simple like
> deny all incoming new connections.
> 
> The following are what I have with only ftp allowed and eth0 trusted..
> yet somehow, any computer (on the lan or on the internet) can access
> http, ssh, and every other port on my computer. 

What do you think 'eth0 trusted' means ?

Again I suggest you think about what you are doing. 'eth0 trusted' 
means trust anything coming to eth0. You have opened up any packets 
comming to eth0 to be allowed.

The tool works correctly.


> 
> Since this is all done with init scripts which require me to be root in
> order to use, and iptables is running, I would assume everything is
> being executed properly.
> 
> # /sbin/iptables -L

Try /sbin/iptables --xvn L for some details




<snip>
> -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

The rule above is what is added when you 'trust' eth0, allowing 
everything.

<snip>
> 
> 
> Considering that every iptables script ive looked at is 5 times longer
> than both those files combined (including supposedly 'simple' scripts) I
> would assume something isn't right.

Wrong assumption. It's user error.

> 
> I've read man iptables but its overwhelming, and I've tried editing
> other peoples simple scripts--again, overwhelming. I couldnt make
> anything work that i wanted (like allowing port 11000 for http ONLY). 
> 
> if someone could write me something that does the following and commet
> it so i know what each section is doing that would be great:
> 
> 1. allow incoming connections on ports 11000 (http), 21 (ftp), 22 (ssh),
> and 113 (identd).
> 2. allow outgoing on all ports.
> 3. just 1 ethernet card, eth0. 

Yes, remove the trusted eth0 using redhat-config-securitylevel tool. 
Then add the ports in that you need.

Cheers,
Michael





More information about the fedora-list mailing list