Michael Schwendt wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 07 Mar 2003 22:13:03 +0800, [EMAIL PROTECTED] wrote: > > > > On Fri, 07 Mar 2003 13:31:02 +0800, [EMAIL PROTECTED] wrote: > > > > > > > After the following setting of ipchains on 6.2 machine : > > > > > > > > /sbin/ipchains -F > > > > /sbin/ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT > > > > > > > > After the following setting of iptables on 7.2 machine : > > > > > > > > iptables -F > > > > iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT > > > > > > > > But I can connect to http://ip_address... > > > > So, I want to know why I can connect to http://ip_address with port 80 ? > > > > > > Not enough input. Post the _complete_ output of ipchains-save or > > > iptables-save, respectively. > > > > For ipchains, > > > > /sbin/ipchains -F > > /sbin/ipchains -A input -i eth0 -p tcp --dport 20 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 21 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 22 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 23 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 25 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 80 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 53 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p udp --dport 53 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 110 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 143 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p tcp --dport 113 -j ACCEPT > > /sbin/ipchains -A input -i eth0 -p udp --dport 113 -j ACCEPT > > That's not the output of ipchains-save. It's equivalent only if > these are all your rules. "ipchains-save" is a command that prints > your entire set of rules. > > Your listing above shows 12 superfluous rules, because the default > policy in the input chain is ACCEPT. That means, by default, the > input chain accepts everything. > > > For iptables, > > > > iptables -F > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP > > iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > > iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT > > iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT > > iptables -A INPUT -i eth0 -p tcp --dport 113 -j ACCEPT > > That's not the output of iptables-save. It's equivalent only if > these are all your rules. "iptables-save" is a command that prints > your entire set of rules. > > Your listing above shows 11 superfluous rules, because the default > policy in the INPUT chain is ACCEPT. That means, by default, the > INPUT chain accepts everything. > > > So, any problem of the setting about ipchains and iptables ? > > Going back to your original question: > > > > > But I can connect to http://ip_address... > > > > So, I want to know why I can connect to http://ip_address with port 80 ? > > Yes, you can connect to port 80, because your packet filtering rules > do not reject/drop any packet to port 80. On the other hand, if you > meant to ask why you *cannot* connect via http, you still have not > provided enough information about your server, your client, your > network topology and your complete set of packet filtering rules. So > far the description of your problem scenario has been poor, > unfortunately.
Now, I want to know how to allow users connect to some of ports ( services ) by using ipchains and iptables ? eg : allow user connect to ports : 80 ( http ), 53 ( DNS ) only... Thank for your help ! -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
