* a word of caution * It looks like you're attempting to edit the iptables file in /etc/sysconfig.
I wouldn't do this. This file is created every time you execute: /etc/rc.d/init.d/iptables save when you do a "restore" instead of a save, this ruleset is loaded. Since you're just learning about iptables, editing this file is NOT the best approach - I would start by using a simple script that sets things how you need it using the iptables command line directive, and get your ruleset how you want it. Then, I would issue the save directive, reboot, and see how things come up. Just an idea - perhaps this is what you are doing. :) -jre On Sat, Jul 06, 2002 at 09:39:50PM -0600, Ashley M. Kirchner wrote: > Envelope-to: [EMAIL PROTECTED] > Delivery-date: Sat, 06 Jul 2002 23:34:11 -0400 > Delivered-To: [EMAIL PROTECTED] > From: "Ashley M. Kirchner" <[EMAIL PROTECTED]> > Organization: Photo Craft Laboratories, Inc. > X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) > X-Accept-Language: en > To: Red Hat Mailing List <[EMAIL PROTECTED]> > Subject: iptables (new issue) > X-Loop: [EMAIL PROTECTED] > Errors-To: [EMAIL PROTECTED] > X-BeenThere: [EMAIL PROTECTED] > X-Mailman-Version: 2.0.1 > Precedence: bulk > Reply-To: [EMAIL PROTECTED] > X-Reply-To: [EMAIL PROTECTED] > List-Help: <mailto:[EMAIL PROTECTED]?subject=help> > List-Post: <mailto:[EMAIL PROTECTED]> > List-Subscribe: <https://listman.redhat.com/mailman/listinfo/redhat-list>, > <mailto:[EMAIL PROTECTED]?subject=subscribe> > List-Id: General Red Hat Linux discussion list <redhat-list.redhat.com> > List-Unsubscribe: <https://listman.redhat.com/mailman/listinfo/redhat-list>, > <mailto:[EMAIL PROTECTED]?subject=unsubscribe> > List-Archive: <https://listman.redhat.com/mailman/private/redhat-list/> > X-Original-Date: Sat, 06 Jul 2002 21:39:50 -0600 > Date: Sat, 06 Jul 2002 21:39:50 -0600 > X-FromHost: (listman.redhat.com) [66.187.233.211] > X-UIDL: Xgi"!/+i"!jX6!!WW7"! > > > Thanks to Stephen earlier, I solved one problem, now I have another. The >following rules work in that they block everything incoming to the server except for >those services opened, and it allows traffic back and forth to and from the internal >network. However, from the internal network, I can not get onto the server itself. >What do I have to change or add to make folks on the private network (192.168.1.0/24) >to be able to get onto the server itself? > > Basically I want only those 4 opened ports from the outside to reach the server, >but anything from the internal network should be able to reach the server as well >(and right now nothing does) and be able to go out to the net. > > Also, if anyone sees some blatant problem with these rules, please let me know >since I'm still learning about iptables. My requirements are simple: > > From the outside: > - Drop everything incoming to the server > except for ports 21, 22, 25 and 80. > > From the inside (private) network: > - Forward traffic from the inside network to the outside world > - Allow everything in and out of the server itself > > From the server itself: > - Allow everything/anything to go out to the world. > > What'd I forget? Here are the current set of rules: > > # Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002 > *nat > :PREROUTING ACCEPT [148:20680] > :POSTROUTING ACCEPT [10:774] > :OUTPUT ACCEPT [10:774] > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -d ! 192.168.1.0/255.255.255.0 -j SNAT >--to-source 12.253.88.33 > COMMIT > # Completed on Sat Jul 6 21:18:47 2002 > # Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002 > *filter > :INPUT DROP [129:18877] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [10881:581839] > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset > -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.1.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j >ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > COMMIT > # Completed on Sat Jul 6 21:18:47 2002 > > -- > H | "Life is the art of drawing without an eraser." - John Gardner > +-------------------------------------------------------------------- > Ashley M. Kirchner <mailto:[EMAIL PROTECTED]> . 303.442.6410 x130 > Director of Internet Operations / SysAdmin . 800.441.3873 x130 > Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave, #6 > http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A. > > > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list -- joseph r. erlewein v - 231.932.4689 w - 231.935.2364 c - 231.342.7853 p - 231.318.8793 www.erlewein.com [EMAIL PROTECTED] [EMAIL PROTECTED]
msg82821/pgp00000.pgp
Description: PGP signature