FC-5 iptables question

Alexander Dalloz ad+lists at uni-x.org
Tue Aug 1 15:09:16 UTC 2006


Peter Horst schrieb:

> Sorry, kind of a dumb question.  I'm trying to open a port to allow 
> DNS traffic (port 53, UDP and TCP).  I tried a quick nmap from outside 
> my network, and though the tcp port shows up open, there's no reading 
> from the udp port. How can I tell if I've opened the port correctly? 
> Here's what I think is the relevant output from 'service iptables 
> status' - does this look right?  Thanks much...

Did you do an UDP nmap scan?

nmap -sU -p53 <target_host>

>
> Chain RH-Firewall-1-INPUT (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp 
> type 255
> 3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
> 4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
> 5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp 
> dpt:5353


> 6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp 
> dpt:53
> 7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpt:53

Both TCP and UDP port 53 open - not state dependent.

>
> 8    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp 
> dpt:631
> 9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpt:631
> 10   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> state RELATED,ESTABLISHED
> 11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           
> state NEW tcp dpt:22
> 12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           
> state NEW tcp dpt:25
> 13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           
> state NEW tcp dpt:80
> 14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           
> state NEW tcp dpt:443


>
> 15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           
> state NEW tcp dpt:53
> 16   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           
> state NEW udp dpt:53

Again opened port 53 TCP/UDP - here just for state NEW.

> 17   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           
> reject-with icmp-host-prohibited

One of the settings isn't necessary. From the rule to allow all with 
state RELATED,ESTABLISHED you would only need to explicitly allow state 
NEW for port 53, given you run a public nameservice.

Alexander





More information about the fedora-list mailing list