|
楼主 |
发表于 2005-10-28 09:27:14
|
显示全部楼层
I understand what you are replying and that works for me, but my point here is:
Can we enable firewall and at the same time use iptables to open some ports
instead of adding trusted ports or other ports on the gui?
The answer seems "NO".
Now back to your suggestion of using iptables ALONE. There are still some problems I can't figure out. If I set the rule for one specific port, it works fine, but if I try to set a range of port, it starts weird.....Please help me....
1. 设定 filter table 的预设政策
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
2. open port 1:1024 (tcp, udp; INPUT, Forward, Oupput)
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 1:1024 -j ACCEPT
3. block1025:65535 (or any very big number). This might not be necessary, since the 预设政策 is already DROP
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 1025:65535 -j DROP
However, this rule sometimes works and sometimes not...I use telnet to test...sometime i can telnet, but sometimes not...it seems dynamic.....very confused..
I noticed in /etc/sysconfig/iptables, these numbers are changing all the time...i don't set those numbers...where do they come from?
:INPUT ACCEPT [489:35793]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6258:473447]
:RH-Firewall-1-INPUT - [0:0]
I also tried to 设定 filter table 的预设政策 as ACCEPT, and then block 1025:65535, but same problem...sometimes it is ok, sometimes not.....
Please help me...thankssssssssssssssssssss
Can anyone give an example of your iptables file, not just one rule.....the whole setting....a global picture....for example, you want to block all ports except 1:1024..... |
|