iptables question

[portia]

I'd like to open ports 4000-4004 for rpc services on my NFS server to all the clients on my LAN (192.168.1.0/24). How would I modify iptables manually. I don't want to use Fedora's system-config-firewall. Could anyone tell me step by step. Thanks

[syd05]

The command to allow access to rpc services on server to local network:

iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 4000:4004 -s 192.168.1.0/24 -j ACCEPT

Here -I RH-Firewall-1-INPUT 1 adds the said rule as the first rule to the existing list of rules ( if any)

Assuming your default policy for RH-Firewall-1-INPUT chain is DROP, you could modify the above command to:

iptables -A RH-Firewall-1-INPUT -p tcp --dport 4000:4004 -s 192.168.1.0/24 -j ACCEPT
( here -A RH-Firewall-1-INPUT appends the above rule to the list of rules)

To have this rule available on subsequent restarts, modify the file /etc/sysconfig/iptables (Centos, RHEL, Fedora distros) to include the following line:

-A RH-Firewall-1-INPUT -p tcp --dport 4000:4004 -s 192.168.1.0/24 -j ACCEPT

(the above line could be added anywhere within the file along with other RH-Firewall-1-INPUT rules; but remember that the firewall rules are applicable in sequential order)

If the RH-Firewall-1-INPUT chain is not preconfigured on your system then you could substitute it with INPUT

-- Syd

[portia]

Thanks a lot. I'll try it at home.
After adding the above line to /etc/sysconfig/iptables I assume I'll have to restart iptables for it to take a permanent effect and that's it, isn't it?

Thanks again.

[syd05]

Hi,

Yes, you need to restart iptables after adding the entries to /etc/sysconfig/iptables or as an alternate you could also enter those command at the CLI and validate the same through iptables -L -v

Either of those works...

--Syd

[portia]

thanks mate

[portia]

Hey,
I added the line to /etc/sysconfig/iptables so it looks like that now:

Code:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p tcp --dport 4000:4004 -s 192.168.1.0/24 -j ACCEPT
COMMIT

Then I restarted iptables:

Code:

/etc/init.d/iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore: line 15 failed    [FAILED]

What could be the reason?

[portia]

Ok, I changed the line to:

Code:

-A INPUT -p tcp --dport 4000:4004 -s 192.168.1.0/24 -j ACCEPT

... and it works. What's the difference between those two lines?

[syd05]

RH-Firewall-1-INPUT is just another filter chain like INPUT. On rpm based systems like CentOS/RHEL/Fedora, this chain normally is preconfigured.

The iptables rules are then so configured that every inbound packet is redirected to the RH-Firewall-1-INPUT chain and packet filtering takes place on the basis of rules in RH-Firewall-1-INPUT.

I assume additional filter chains like RH-Firewall-1-INPUT are used for managebility / streamline the processing of packets and some might not feel it's necessary to have additional filter chains. Since your system did not have a RH-Firewall-1-INPUT but you added a rule referencing RH-Firewall-1-INPUT, it threw up the error "line 15 failed"

--Syd