Re: editing /etc/sysconfig/iptables to fix DNS problem
From: /dev/rob0 (rob0_at_gmx.co.uk)
Date: 08/20/03
- Next message: Allen Kistler: "Re: iptables - filter traffic on open ports"
- Previous message: Chuan-kai Lin: "Re: Wipe2fs - utility to wipe unused space in ext2/3"
- In reply to: Patrick Cairpre: "editing /etc/sysconfig/iptables to fix DNS problem"
- Next in thread: Balwinder Singh Dheeman: "Re: editing /etc/sysconfig/iptables to fix DNS problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Aug 2003 19:59:02 -0700
In article <aba9f5d4.0308191649.690dfd49@posting.google.com>,
Patrick Cairpre wrote:
> Running Redhat 9
> I just edited the file by hand adding access from port 53. The file
> says this is not the recommended procedure.
>
> It seems to be fine now, but I thought I should ask if this is really
> a mistake and what else I could have or should have done
That's a Red Hat question. I don't know. Your way would work, but you
did make a mistake.
> # Note: ifup-post will punch the current nameservers through the
> # firewall; such entries will *not* be listed here.
Check ifup-post and see what rules it adds.
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m tcp --dport 53 --syn -j ACCEPT
The second should be "udp" ... well that might not matter; on most
systems (depending how the kernel is configured I guess) the -m is
unnecessary. "-p udp" loads the udp module.
Another problem: you don't really want this in your INPUT chain, just
perhaps OUTPUT and FORWARD. Is this box a firewall/router for your local
network? If not, you don't need FORWARD at all. Hmmm, maybe something
else was wrong?
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
> [snip]
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
You want FTP and telnet open? Unless you're providing anonymous FTP
service, and you probably shouldn't mess with that at this point, ssh
does this *much* better.
Anyway, that is a horrid firewall! It's an old ipchains firewall, with
no stateful inspection whatsoever. I recommend that you toss it and get
something strong like MonMotha's firewall. After you edit and run that,
do this:
iptables-save > /etc/sysconfig/iptables
and your rules will be saved.
You could even write a stateful firewall yourself. There's a simple
example of it in the Packet-Filtering-HOWTO at www.netfilter.org, and
you just add on INPUT rules to open ports where you want to provide
external access.
-- /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net or put "not-spam" or "/dev/rob0" in Subject header to reply
- Next message: Allen Kistler: "Re: iptables - filter traffic on open ports"
- Previous message: Chuan-kai Lin: "Re: Wipe2fs - utility to wipe unused space in ext2/3"
- In reply to: Patrick Cairpre: "editing /etc/sysconfig/iptables to fix DNS problem"
- Next in thread: Balwinder Singh Dheeman: "Re: editing /etc/sysconfig/iptables to fix DNS problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
