-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 07 Mar 2003 22:13:03 +0800, [EMAIL PROTECTED] wrote:
> > On Fri, 07 Mar 2003 13:31:02 +0800, [EMAIL PROTECTED] wrote: > > > > > After the following setting of ipchains on 6.2 machine : > > > > > > /sbin/ipchains -F > > > /sbin/ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT > > > > > > After the following setting of iptables on 7.2 machine : > > > > > > iptables -F > > > iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT > > > > > > But I can connect to http://ip_address... > > > So, I want to know why I can connect to http://ip_address with port 80 ? > > > > Not enough input. Post the _complete_ output of ipchains-save or > > iptables-save, respectively. > > For ipchains, > > /sbin/ipchains -F > /sbin/ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 21 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 22 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 23 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 25 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 80 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 53 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p udp --dport 53 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 110 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 143 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p tcp --dport 113 -j ACCEPT > /sbin/ipchains -A input -i eth0 -p udp --dport 113 -j ACCEPT That's not the output of ipchains-save. It's equivalent only if these are all your rules. "ipchains-save" is a command that prints your entire set of rules. Your listing above shows 12 superfluous rules, because the default policy in the input chain is ACCEPT. That means, by default, the input chain accepts everything. > For iptables, > > iptables -F > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT > iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 113 -j ACCEPT That's not the output of iptables-save. It's equivalent only if these are all your rules. "iptables-save" is a command that prints your entire set of rules. Your listing above shows 11 superfluous rules, because the default policy in the INPUT chain is ACCEPT. That means, by default, the INPUT chain accepts everything. > So, any problem of the setting about ipchains and iptables ? Going back to your original question: > > > But I can connect to http://ip_address... > > > So, I want to know why I can connect to http://ip_address with port 80 ? Yes, you can connect to port 80, because your packet filtering rules do not reject/drop any packet to port 80. On the other hand, if you meant to ask why you *cannot* connect via http, you still have not provided enough information about your server, your client, your network topology and your complete set of packet filtering rules. So far the description of your problem scenario has been poor, unfortunately. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+aK5E0iMVcrivHFQRAgHVAJ98baqnZVYelr8JmmUMdbjnjTc6kACdEniN okEgprMi9zPhcV98ppVoeWQ= =h9yb -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
