Results 1 to 3 of 3
Hello,
I have /etc/sysconfig/iptables file:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo ...
- 04-07-2011 #1Just Joined!
- Join Date
- Nov 2010
- Posts
- 6
iptables problem
Hello,
I have /etc/sysconfig/iptables file:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
But still I cant ping any dns name
All outgoing traffic is allowed and state ESTABLISHED,RELATED is ACCEPT, so if my dns client connect to dns server 53 port, it has to ACCEPT all packets from it? because I have state ESTABLISHED,RELATED?
- 04-07-2011 #2Just Joined!
- Join Date
- Nov 2010
- Posts
- 6
when I add
-A RH-Firewall-1-INPUT -p udp -m udp --sport 53 -j ACCEPT
rule it starting to work, but I tried to use wget, it also requires rule:
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 80 -j ACCEPT
why --state dont work for me?
- 04-08-2011 #3Just Joined!
- Join Date
- Sep 2007
- Posts
- 51
Allow ICMP and web traffic
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
#-N RH-Firewall-1-INPUT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m multiport --port 49,53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m multiport --dport 22,53,80,443 -j ACCEPT
-A RH-Firewall-1-INPUT ! -d <your ip address> -j REJECT --reject-with icmp-host-prohibited
COMMIT
I modified your iptables statement to streamline it.
Go to the ip address section and add your ip address or put in 0/0 (all) or a subnet, for example 192.168.0.0/16
That should do it.
It will allow you to access the internet and ping dns addresses.
Todd
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts