Diego,
First the ping problem. If I am reading your rules correctly, it seems
that you are trying to allow pings from an external computer with the
last rule in the INPUT chain. However, I think the rule above it will
catch everything so your last rule never gets any packets. If you really
want to allow ICMP from outside, put the ICMP rule before the last
'drop-and-log-it' rule.
Second, to allow external access to server software you need a rule such
as :
iptables -A INPUT -i eth0 -p <protocol> --dport <port> -m state --state
NEW -j ACCEPT
where <protocol> is tcp or udp, and <port> is the tcp/udp port number
for the server. So, if I wanted to allow SSH login to my the machine I
would insert the following command in the INPUT chain before the
'drop-and-log-it' rules:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j
ACCEPT
If these changes don't work, then please post rc.firewall.
Hope this helps!
-Adrian
On Tue, 2002-07-23 at 21:23, diego henao wrote:
> Hey thanks for answering my email I really appreciate this. As you which
> I will paste the information you requested from my system. Thanks again.
>
> Diego
>
> [root@CaBeSeRvEr /]# iptables -L -n -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 3173 161K ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 14952 2301K ACCEPT all -- eth1 * 192.168.0.0/24
> 0.0.0.0/0
> 0 0 drop-and-log-it all -- eth0 * 192.168.0.0/24
> 0.0.0.0/0
> 289 75538 ACCEPT all -- eth0 * 0.0.0.0/0
> 65.35.138.193 state RELATED,ESTABLISHED
> 1742 527K drop-and-log-it all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
> 65.35.138.193
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 1460K 949M ACCEPT all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 1862K 1842M ACCEPT all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 drop-and-log-it all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 3173 161K ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
> 33 9013 ACCEPT all -- * eth1 65.35.138.193
> 192.168.0.0/24
> 13802 2554K ACCEPT all -- * eth1 192.168.0.0/24
> 192.168.0.0/24
> 0 0 drop-and-log-it all -- * eth0 0.0.0.0/0
> 192.168.0.0/24
> 396 79113 ACCEPT all -- * eth0 65.35.138.193
> 0.0.0.0/0
> 0 0 drop-and-log-it all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain drop-and-log-it (5 references)
> pkts bytes target prot opt in out source
> destination
> 1742 527K LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 LOG flags 0 level 6
> 1742 527K DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
> [root@CaBeSeRvEr /]#
>
> -----Original Message-----
> From: slug@lists.nks.net [mailto:slug@lists.nks.net] On Behalf Of Adrian
> deLisser
> Sent: Tuesday, July 23, 2002 6:26 AM
> To: slug@nks.net
> Subject: Re: [SLUG] Question
>
> Diego,
>
> Please post the output from the command:
>
> iptables -L -n -v
>
> -Adrian
>
> On Sun, 2002-07-21 at 21:03, diego henao wrote:
> > This is me again. I sent an email long time ago regarding information
> > about iptables. Well, I have not been able to set up my server
> > correctly. I will explain to you what's going on again. I have Red Hat
> > Linux 7.3. I have set up NAT also because I have a Windows XP behind
> > this machine ( This is for my sister) ahhaah. I got a file with the
> > rules for the firewall; it is called rc.firewall. The Ip masquerade is
> > working wonderful. In addition, I don't have a static ip; therefore,
> > what I did was I got a dynamic ip from www.dtdns.com
> > <http://www.dtdns.com/> .
> >
> > The problem starts when someone from another network or computer
> > different from mine tries to access my server, even though; the person
> > tries just a simple ping. Apparently, my machine is not there; it is
> > dead aahahahaha.
> >
> > Finally, I know the dynamic ip is working because when you do a ping
> > from any computer outside, you can see the system converting the ip to
> > dns. My dynamic domain is cabezas.darktech.org.
> >
> > Below here I am attaching some information I think is necessary to
> find
> > out what the problem is. I think the problem is iptables, but I am not
> > sure. I will keep reading about iptables, I am not an expert, but We
> > will see..
> >
> > Any collaboration is thanked.
> >
> > Thanks a lot Diego..
> >
> > Information
> >
> > [root@CaBeSeRvEr root]# iptables -L
> > Chain INPUT (policy DROP)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT all -- 192.168.0.0/24 anywhere
> > drop-and-log-it all -- 192.168.0.0/24 anywhere
> > ACCEPT all -- anywhere
> > 6535138hfc193.tampabay.rr.comstate RELA
> > TED,ESTABLISHED
> > drop-and-log-it all -- anywhere anywhere
> >
> > Chain FORWARD (policy DROP)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABL
> > ISHED
> > ACCEPT all -- anywhere anywhere
> > drop-and-log-it all -- anywhere anywhere
> >
> > Chain OUTPUT (policy DROP)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT all -- 6535138hfc193.tampabay.rr.com 192.168.0.0/24
> > ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
> > drop-and-log-it all -- anywhere 192.168.0.0/24
> > ACCEPT all -- 6535138hfc193.tampabay.rr.com anywhere
> > drop-and-log-it all -- anywhere anywhere
> >
> > Chain drop-and-log-it (5 references)
> > target prot opt source destination
> > LOG all -- anywhere anywhere LOG level
> > info
> > DROP all -- anywhere anywhere
> >
> >
> > [root@CaBeSeRvEr root]# iptables -V
> > iptables v1.2.5
> > [root@CaBeSeRvEr root]#
> >
> >
>
>
>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 14:23:37 EDT