Help with iptables firewall rules
Robert L Cochran
cochranb at speakeasy.net
Sun Feb 6 19:17:31 UTC 2005
Felipe Alfaro Solana wrote:
> On 6 Feb 2005, at 18:54, Robert L Cochran wrote:
>
>> I'm trying to allow my print server on 192.168.1.160 to communicate
>> with my machine. Otherwise, I don't seem able to print to my
>> Laserjet. It seems to be doing that by sending TCP packets to port
>> 1023. So I added this rule to my firewall:
>>
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
>> 1023 -j ACCEPT
>>
>> But the packets still get rejected:
>>
>> Feb 6 12:26:04 bobcp4 kernel: Packet dropped..IN=eth1 OUT=
>> MAC=00:11:09:61:11:6b:00:c0:02:55:52:55:08:00 SRC=192.168.1.160
>> DST=192.168.1.14 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=34854 PROTO=TCP
>> SPT=515 DPT=1023 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0
>>
>> I also had 2 other rules:
>>
>> # -A RH-Firewall-1-INPUT -s 192.168.1.160 -p tcp -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT
>> # -A RH-Firewall-1-INPUT -s 192.168.1.160 -p udp -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT
>>
>> They are shown commented out, but when I uncommented them the effect
>> was the same as above: again the packets were rejected and nothing
>> printed. Any idea of what I am doing wrong? Port 631 is open.
>
>
> Where did you insert your rule? Make sure there is no DENY ALL rule
> before the one you added. It's very common in firewall rulesets to end
> the set with a DENY ALL rule. Thus, any rule you append will be useless.
>
There is indeed a global REJECT rule at the end of this chain. But I
added the rule near the start of the chain. There must be something I'm
missing here about the state of the packets.
Bob
More information about the fedora-list
mailing list