iptables question

jludwig wralphie at comcast.net
Tue Jul 27 01:56:06 UTC 2004


On Mon, 2004-07-26 at 21:43, Thomas Sapp wrote:
> I was wondering about how to change or add rules to the iptables.  I
> read the man page for it but can't seem to quite grasp the concept
> apparently.  Here is what I get from an iptables -t filter -L:
> ************************************************************************
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>  
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>  
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>  
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     ipv6-crypt--  anywhere             anywhere
> ACCEPT     ipv6-auth--  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:https
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:ftp
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:5801
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:5901
> ACCEPT     udp  --  anywhere             anywhere            state NEW
> udp dpt:5801
> ACCEPT     udp  --  anywhere             anywhere            state NEW
> udp dpt:5901
> REJECT     all  --  anywhere             anywhere            reject-with
> icmp-host-prohibited
> *************************************************************************
> 
> I would like to change the settings for the ports for ftp, ssh, and VNC
> to only allow connections from 204.99.118.0/24 and so far this is what I
> have:
> 
> iptables -t filter -R RH-Firewall-1-INPUT 9 -p tcp -s 204.99.118.0/24
> 
> All that does is produce an output similar to this:
> 
>           tcp  --  204.99.118.0/24      anywhere
> 
> Can anyone help me with what I am doing wrong?  How do I add the ACCEPT
> and the state?  I have tried --state but it keeps telling me that it is
> an incorrect option.
> 
> -- 
> Thanks,
> Tom Sapp
> http://www.sappsworld.com
Try
iptables -t filter -R RH-Firewall-1-INPUT 9 -p tcp -s 204.99.118.0/24 -j
ACCEPT

The rule is there but does nothing without a jump to filter (-j DROP,
ACCEPT, REJECT, etc)
-- 
jludwig <wralphie at comcast.net>





More information about the fedora-list mailing list