Hello Todd,
The way I am reading your rules, your default
policy is accept ?
Here is the rules that I use to open ports on a
firewall with default policy drop
ipchains -A input -s 0/0 unprivports* -d myip* 8080
-p tcp -j ACCEPT
ipchains -A output -s myip* 8080 -d 0/0 unprivports
-p tcp ! -y -j ACCEPT
myip* is the ip address of the interface, this is
to drop any spoofed packets. Adding unprivports to the source means that the
service is not hacked (I think), basicly, no service will connect with a source
port < 1024 when a user is using it (e.g. telnet mail.server.com 25 - will
have a source port 1024>)
The ! is needed, I can't remember why....my memory
failed a parity check :)
Hope this helps !
Cheers,
Pieter
----- Original Message -----
Sent: Tuesday, April 16, 2002 07:43
Subject: firewall after up2date kernel
upgrade
I have a virtual server listening on port 8080.
(The devel server) I upgraded to kernel via up2date and now I cant contact the
server from outside the machine. A couple months ago when I added a secure
server all I did was put:
-A input -s 0/0 -d 0/0 443 -p tcp -y -j
ACCEPT
in /etc/sysconfig/ipchains and it worked. So I
was hoping:
-A input -s 0/0 -d 0/0 8080 -p tcp -y -j
ACCEPT
Would open 8080 back up, but no sucess. I know
the point of the upgrade was to close some ports up, but what do I need to to
to get the ones I want open open again?
The build is a vanilla RedHat 7.2 from ISO's.
According to RHN my machine is completely up to date as far as errata and
upgrades. Here is teh contents of my ipchains file:
:input ACCEPT :forward ACCEPT :output
ACCEPT -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT -A input -s 0/0 -d
0/0 22 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 23 -p tcp -y -j
ACCEPT -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT -A input -s 0/0 -d
0/0 80 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 109 -p tcp -y -j
ACCEPT -A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT -A input -s 0/0 -d
0/0 143 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 443 -p tcp -y -j
ACCEPT -A input -s 0/0 -d 0/0 8080 -p tcp -y -j ACCEPT -A input -s 0/0
-d 0/0 -i lo -j ACCEPT -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j
REJECT -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT -A input -p udp
-s 0/0 -d 0/0 0:1023 -j REJECT -A input -p udp -s 0/0 -d 0/0 2049 -j
REJECT -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT -A input -p
tcp -s 0/0 -d 0/0 7100 -y -j REJECT
Thanks for any input,
trwww
|