iptable in fc5

Christopher K. Johnson ckjohnson at gwi.net
Tue May 16 17:43:58 UTC 2006 

Hongwei Li wrote:
>> On Mon, 2006-05-15 at 14:27 -0500, Hongwei Li wrote:
>>     
>>> Hi,
>>>
>>> I have a question about iptables in fc5. I have iptables 1.3.5-1.2
>>> installed.
>>> By default, the iptables has a line
>>> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>>> ... and
>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>>
>>> I try to add the port 2049 for our lan nfs by adding aline before the above
>>> reject line:
>>>
>>>       
>> You're also going to need to unblock ports for portmapper, mountd,
>> rquotad, and (maybe) rstatd and nfslockd.  I don't use the last two on
>> my home systems.
>>
>> Create a file on the server at /etc/sysconfig/nfs that will bind mountd
>> and rquotad to fixed ports (I use 922 and 923, but you don't have to).
>>
>> [root at petrel ~]# cat /etc/sysconfig/nfs
>> export MOUNTD_PORT=922
>> export RQUOTAD_PORT=923
>>
>> Then, in /etc/sysconfig/iptables, add the following rules (change the -s
>> address as appropriate, or remove it altogether):
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 922 -j ACCEPT
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 922 -j ACCEPT
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 923 -j ACCEPT
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 923 -j ACCEPT
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p
>> tcp --dport 22 -j ACCEPT
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>     
>
> Thanks a lot for you and Chris's help, I created /etc/sysconfig/nfs, did what
> you suggested and now it is working.
>
> A few more quations about iptables setting:
>
> 1. What's difference if I put some lines like
> -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
> before line
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> or put it in between it and the following line:
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>   
The difference is performance.  Once a connection table entry is 
established all subsequent packets will be accepted when the 
ESTABLISHED,RELATED... rule is hit.  So placing that near the top, and 
rules to decide what new connections to permit below it shorten the 
rules traversed for the majority of packets.
> 2. When do we need to include "-m state --state NEW" or "-m state --state
> NEW,ESTABLISHED,RELATED" or "-m state --state ESTABLISHED,RELATED" in a line?
> Will they cause different functions?
>   
Definitely different.  If you allow all state NEW packets you are not 
acting like a firewall because you are allowing any and all connections.
Stick to the accept on ESTABLISHED,RELATED for bulk of packets on 
already permitted connections, and the use of NEW in rules that you are 
evaluating whether to accept a connection or not based on what the 
source and/or destination address/port are.
> 3. For those lines with "-m state --state NEW" etc., should I put them before
> line
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> or after it?
>   
After - the same reason as question 1.  Not because you have to to make 
it work, but because doing so is more efficient.
> Thanks!
>
> Hongwei
>
>
>   


-- 
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #804005699817957

More information about the fedora-list mailing list