FC-5 iptables question
Alexander Dalloz
ad+lists at uni-x.org
Tue Aug 1 15:09:16 UTC 2006
Peter Horst schrieb:
> Sorry, kind of a dumb question. I'm trying to open a port to allow
> DNS traffic (port 53, UDP and TCP). I tried a quick nmap from outside
> my network, and though the tcp port shows up open, there's no reading
> from the udp port. How can I tell if I've opened the port correctly?
> Here's what I think is the relevant output from 'service iptables
> status' - does this look right? Thanks much...
Did you do an UDP nmap scan?
nmap -sU -p53 <target_host>
>
> Chain RH-Firewall-1-INPUT (2 references)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> type 255
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
> dpt:5353
> 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:53
> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:53
Both TCP and UDP port 53 open - not state dependent.
>
> 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:631
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:631
> 10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
> state NEW tcp dpt:22
> 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
> state NEW tcp dpt:25
> 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
> state NEW tcp dpt:80
> 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
> state NEW tcp dpt:443
>
> 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
> state NEW tcp dpt:53
> 16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
> state NEW udp dpt:53
Again opened port 53 TCP/UDP - here just for state NEW.
> 17 REJECT all -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-host-prohibited
One of the settings isn't necessary. From the rule to allow all with
state RELATED,ESTABLISHED you would only need to explicitly allow state
NEW for port 53, given you run a public nameservice.
Alexander
More information about the fedora-list
mailing list