Find the answer to your Linux question:
Results 1 to 3 of 3
Hello, I have /etc/sysconfig/iptables file: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2010
    Posts
    6

    iptables problem


    Hello,

    I have /etc/sysconfig/iptables file:

    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT


    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


    But still I cant ping any dns name All outgoing traffic is allowed and state ESTABLISHED,RELATED is ACCEPT, so if my dns client connect to dns server 53 port, it has to ACCEPT all packets from it? because I have state ESTABLISHED,RELATED?

  2. #2
    Just Joined!
    Join Date
    Nov 2010
    Posts
    6
    when I add
    -A RH-Firewall-1-INPUT -p udp -m udp --sport 53 -j ACCEPT
    rule it starting to work, but I tried to use wget, it also requires rule:
    -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 80 -j ACCEPT

    why --state dont work for me?

  3. #3
    Just Joined!
    Join Date
    Sep 2007
    Location
    Silver Spring, MD
    Posts
    95

    Allow ICMP and web traffic

    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    #-N RH-Firewall-1-INPUT
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m multiport --port 49,53 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m multiport --dport 22,53,80,443 -j ACCEPT

    -A RH-Firewall-1-INPUT ! -d <your ip address> -j REJECT --reject-with icmp-host-prohibited
    COMMIT

    I modified your iptables statement to streamline it.

    Go to the ip address section and add your ip address or put in 0/0 (all) or a subnet, for example 192.168.0.0/16

    That should do it.

    It will allow you to access the internet and ping dns addresses.

    Todd

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •