[lug] simple iptables mystery
D. Stimits
stimits at attbi.com
Fri Mar 21 17:19:00 MST 2003
Hugh Brown wrote:
> On Thu, 2003-03-06 at 21:25, D. Stimits wrote:
>
> >On a RH 8 (KRUD) box, I have a mystery, which should not be happening. I
> >admit I know very little about iptables, I've used ipchains forever, but
> >this is so simple I don't understand why it won't work. In
> >/etc/sysconfig/ is the iptables file (and I run service iptables restart
> >after changes). I am trying to get it to accept anything on the private
> >eth0 NIC (it has another NIC for outside world), and the following fails
> >to allow anything below port 1024 in:
> >
> >*filter
> >:INPUT ACCEPT [0:0]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [0:0]
> >:RH-Lokkit-0-50-INPUT - [0:0]
> >-A INPUT -j RH-Lokkit-0-50-INPUT
> >
> >-A RH-Lokkit-0-50-INPUT -s 0/0 -d 0/0 -i eth0 -j ACCEPT
> >
>
>
> The config that redhat created for me, puts a COMMIT at the bottom.
>
> You could also try doing 'service iptables stop'
>
> iptables --policy INPUT ACCEPT
> iptables --policy OUTPUT ACCEPT
> iptables --policy FORWARD ACCEPT
> iptables -A INPUT -j RH-Lokkit-0-50-INPUT
> iptables -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
>
> and then do an iptables-save to see how it outputs the info
>
I actually got this working, and I'm still not sure exactly what got it
to work. However, the process that did it was to start by removing the
RH-Lokkit-0-50-INPUT chain, then making a custom chain for lo, one for
eth0 input, and another for NOT eth0 input (the lo chain preceeds
!eth0). After I separated it and did things specific to chains that
applied to only one NIC, it worked. With multiple NICs, I'd have to say
that this is easier to manage too.
D. Stimits, stimits AT attbi DOT com
More information about the LUG
mailing list