Dear Varun, There is one option also '-b ' which automatically repaces -s and -d arguments. It works well with ipchains But i am not sure about it's working in iptables. e.g ipchains -A INPUT -p tcp -s 131.107.2.252 -d 131.107.2.253 80 -j ACCEPT -b
is equivalent to iptables -A INPUT -p tcp -s 131.107.2.252 -d 131.107.2.253 80 -j ACCEPT iptables -A INPUT -p tcp -d 131.107.2.252 -s 131.107.2.253 80 -j ACCEPT Regards, -Yash Varun Varma wrote: > Manish, > > There seems to be a slight problem with your rule definitions. Basically, > you are allowing packets to go from the 2 Windoze PCs to the http (80) port > of the Linux Box, but there is no rule that lets packet come back from the > Linux Box to the Windoze PC - the reply packets are being dropped. So, for > every host that you want to allow access to the http port, you should add > two "symetric" rules: > > iptables -A INPUT -p tcp -s 131.107.2.252 -d 131.107.2.253 80 -j ACCEPT > > iptables -A INPUT -p tcp -d 131.107.2.252 -s 131.107.2.253 80 -j ACCEPT > > This is the basic idea. You may want to investigate using the --state > directive for fancier/more elegant configuration. > > About the connectivity being slow - can't be sure, but it can be because > you have also blocked DNS queries on 131.107.2.253. Atleast SSH, by > default, tries to resolve the hostname for a given IP, and if can't gives > up after some time - and that causes a delay. This is only seen during the > login time though. > > I am assuming here that the webserver is running on 131.107.2.253 > > BTW, that was cute - using Microsoft's IP addresses in your example. > > Regards, > -Varun > -- > Mindframe Software & Services Pvt. Ltd., > A-50, Sector-39, NOIDA, U.P. - 201301, India > > http://www.mindsw.com > > > hi > > i have written a simple script.it is for > > > > FIREWALL PC IP 131.107.2.253 > > 2 Windows PCs 131.107.2.252,131.107.2.5 > > > > ---------------- > > iptables -P INPUT DROP > > iptables -P OUTPUT DROP > > iptables -P FORWARD DROP > > > > iptables -A INPUT -p tcp -s 131.107.2.253 -d 131.107.2.253 --dport 80 > > -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.252 -d 131.107.2.253 > > --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.5 -d > > 131.107.2.253 --dport 80 -j ACCEPT ----------------------- > > > > but i was now able get conneted to my webserver from either of above > > PCs > > > > then i tried following with Default drop in all chains > > > > --------------------- > > iptables -A INPUT -p tcp -s 131.107.2.253 -d 131.107.2.253 -m mport > > --port 80 -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.252 -d > > 131.107.2.253 -m mport --port 80 -j ACCEPT iptables -A INPUT -p tcp -s > > 131.107.2.5 -d 131.107.2.253 -m mport --port 80 -j ACCEPT > > --------------------- > > > > in this case i was able to use http from 131.107.2.253 but not from > > other 2 IPs > > > > then i tried following with Default drop in all chains > > -------------------------- > > iptables -A OUTPUT -j ACCEPT > > iptables -A INPUT -p tcp -s 131.107.2.253 -d 131.107.2.253 -m mport > > --port 80 -j ACCEPT iptables -A INPUT -p tcp -s 131.107.2.252 -d > > 131.107.2.253 -m mport --port 80 -j ACCEPT iptables -A INPUT -p tcp -s > > 131.107.2.5 -d 131.107.2.253 -m mport --port 80 -j ACCEPT > > ------------------------- > > > > now i was able to access port 80 from all machines > > > > then i did same for ssh and mysql > > > > but connectivty became drastically slow > > it took few minutes to connect to database thru my C programs > > > > pls help > > --- > > Manish Kumar Arya > > -------------------------------------------- > > While universe > > { > > Object emerges from zero, tends to infinity and finally end in zero. > > } > > -------------------------------------------- > > > > > > > > > > > > > > 2,000,000,000 Web Pages--you only need 1. Save time with My Lycos. > > http://my.lycos.com > > > > ================================================ > > To subscribe, send email to [EMAIL PROTECTED] with subscribe in > > subject header To unsubscribe, send email to [EMAIL PROTECTED] > > with unsubscribe in subject header Archives are available at > > http://www.mail-archive.com/ilugd%40wpaa.org > > ================================================= > > ================================================ > To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header > To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject >header > Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org > ================================================= -- Yashpal Nagar Sys admin Delhicall Centres GGN
