On Mon, Mar 7, 2011 at 6:31 PM, William L. Thomson Jr. <[email protected]> wrote: > On Mon, 2011-03-07 at 18:17 -0500, robert mckennon wrote: >> On Mon, Mar 7, 2011 at 5:35 PM, William L. Thomson Jr. >> <[email protected]> wrote: > >> >> # Allow unlimited traffic on loopback >> >> iptables -A INPUT -i lo -j ACCEPT >> >> iptables -A OUTPUT -o lo -j ACCEPT >> > >> > Where did you get the loopback stuff? I can't recall ever seeing >> > loopback stuff in iptables before, which is why I ask :) >> > >> >> Not sure where it came from, I'd have go google it again. > > I could be wrong, but pretty sure you don't need to do anything with lo. > Not sure anyone has created a firewall on a loopback interface. Usually > if you need such functionality will use a bridge and doing firewalling, > packet inspection, etc on the bridge. > >> >> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119 >> >> --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 1024:65535 -d 0/0 >> >> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT >> > >> > This should fail since your missing -m multiport, unless that is no >> > longer necessary to specify. >> >> So could this be why it's not working? > > What is not working, everything, or just the FTP your trying to get to > work? >
The ssh stuff is working, I can only ssh to the box from the private network, but if I try and ftp to the external adx (173.165.202.120) it times out. (give it a try) > Looks like its a matter of syntax and what you have is correct. Testing > has show you need multiport only when using commas in the port. > > First one works, second fails with output following > wlt Desktop # iptables -A INPUT -p TCP -i eth0 --sport 1024:65535 -j ACCEPT > wlt Desktop # iptables -A INPUT -p TCP -i eth0 --sport 1024,65535 -j ACCEPT > iptables v1.4.10: invalid port/service `1024,65535' specified > Try `iptables -h' or 'iptables --help' for more information. > > Change the last one to the following and it works :) > iptables -A INPUT -p TCP -i eth0 -m multiport --sport 1024,65535 -j ACCEPT > > I think you still have to have multiport support in the kernel, with > either syntax. > >> I have to head home to do some more testing from the external side. >> I'll check my mail when I get there. >> >> Thank you for your reply! > > No problem, but if you are having problems. Might want to take it one > step at a time. Do input rules before output. Drop the stateful stuff, > and then add that back in once you know things are working. Also make > sure to log anything dropped either way and look at that stuff. It will > usually help you find out what you did wrong/right, etc. > > > -- > William L. Thomson Jr. > Obsidian-Studios, Inc. > http://www.obsidian-studios.com > > > --------------------------------------------------------------------- > Archive http://marc.info/?l=jaxlug-list&r=1&w=2 > RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml > Unsubscribe [email protected] > > --------------------------------------------------------------------- Archive http://marc.info/?l=jaxlug-list&r=1&w=2 RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml Unsubscribe [email protected]
