On Mon, Mar 10, 2003 at 10:32:46PM +0100, klemens zwischenbrugger wrote:
> in this FW script it's not foreseen to use a REJECT ?
Correct, the script uses DENY rather than REJEJCT.
> I'd like to reject connections to port 113 ( AUTH ).
Easy enough to do through the HOOK options. You could place something
like the following in the POSTSTART and POSTRESTART options:
POSTSTART="/usr/local/sbin/iptables-helper"
POSTRESTART"/usr/local/sbin/iptables-helper"
$ cat /usr/local/sbin/iptables-helper:
#!/bin/sh
/sbin/iptables -t mangle -I PREROUTING -p tcp --dport 113 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 113 -j ACCEPT
/sbin/iptables -t filter -I INPUT -p tcp --dport 113 -j REJECT \
--reject-with tcp-reset
The first two are necessary since the REJECT target can only be used in
the INPUT, FORWARD and OUTPUT chains. The packet needs to be allowed
through to the first opportunity to REJECT it.
--
Jamin W. Collins
