[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: iptable in fc5



Hongwei Li wrote:
On Mon, 2006-05-15 at 14:27 -0500, Hongwei Li wrote:
Hi,

I have a question about iptables in fc5. I have iptables 1.3.5-1.2
installed.
By default, the iptables has a line
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
... and
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I try to add the port 2049 for our lan nfs by adding aline before the above
reject line:

You're also going to need to unblock ports for portmapper, mountd,
rquotad, and (maybe) rstatd and nfslockd.  I don't use the last two on
my home systems.

Create a file on the server at /etc/sysconfig/nfs that will bind mountd
and rquotad to fixed ports (I use 922 and 923, but you don't have to).

[root petrel ~]# cat /etc/sysconfig/nfs
export MOUNTD_PORT=922
export RQUOTAD_PORT=923

Then, in /etc/sysconfig/iptables, add the following rules (change the -s
address as appropriate, or remove it altogether):
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 922 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 923 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p
tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Thanks a lot for you and Chris's help, I created /etc/sysconfig/nfs, did what
you suggested and now it is working.

A few more quations about iptables setting:

1. What's difference if I put some lines like
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
before line
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
or put it in between it and the following line:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
The difference is performance. Once a connection table entry is established all subsequent packets will be accepted when the ESTABLISHED,RELATED... rule is hit. So placing that near the top, and rules to decide what new connections to permit below it shorten the rules traversed for the majority of packets.
2. When do we need to include "-m state --state NEW" or "-m state --state
NEW,ESTABLISHED,RELATED" or "-m state --state ESTABLISHED,RELATED" in a line?
Will they cause different functions?
Definitely different. If you allow all state NEW packets you are not acting like a firewall because you are allowing any and all connections. Stick to the accept on ESTABLISHED,RELATED for bulk of packets on already permitted connections, and the use of NEW in rules that you are evaluating whether to accept a connection or not based on what the source and/or destination address/port are.
3. For those lines with "-m state --state NEW" etc., should I put them before
line
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
or after it?
After - the same reason as question 1. Not because you have to to make it work, but because doing so is more efficient.
Thanks!

Hongwei




--
  "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
  Chris Johnson, RHCE #804005699817957


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]