IPTABLES doesn't work

smoothmilk smthmlk at fuckmicrosoft.com
Fri Jan 30 03:46:52 UTC 2004


heh, considering that RH includes this tool and it doesnt work out of
the box, I'd say it should be a concern to the people who could possibly
fix that, perhaps those people read this list. I mean, when you install
fedora/redhat, it says do u want a firewall? If you choose yes, (which i
did) it's not going to do anything--even something very very simple like
deny all incoming new connections.

The following are what I have with only ftp allowed and eth0 trusted..
yet somehow, any computer (on the lan or on the internet) can access
http, ssh, and every other port on my computer. 

Since this is all done with init scripts which require me to be root in
order to use, and iptables is running, I would assume everything is
being executed properly.

# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere           icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           state NEW
tcp dpt:ftp
REJECT     all  --  anywhere             anywhere           reject-with
icmp-host-prohibited




/etc/sysconfig/iptables

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT



/etc/sysconfig/iptables-config

# Additional iptables modules (nat helper)
# Default: -empty-
#IPTABLES_MODULES="ip_nat_ftp"

# Save current firewall rules on stop.
# Value: yes|no,  default: no
#IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no,  default: no
#IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule counter.
# Value: yes|no,  default: no
#IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no,  default: no
#IPTABLES_STATUS_NUMERIC="no"



Considering that every iptables script ive looked at is 5 times longer
than both those files combined (including supposedly 'simple' scripts) I
would assume something isn't right.

I've read man iptables but its overwhelming, and I've tried editing
other peoples simple scripts--again, overwhelming. I couldnt make
anything work that i wanted (like allowing port 11000 for http ONLY). 

if someone could write me something that does the following and commet
it so i know what each section is doing that would be great:

1. allow incoming connections on ports 11000 (http), 21 (ftp), 22 (ssh),
and 113 (identd).
2. allow outgoing on all ports.
3. just 1 ethernet card, eth0. 

Thanks.

Oh, and for the guy who said my email host is spoofed: lol it's not.





More information about the fedora-list mailing list