班竹救命: How to open ports using iptables while firewall is enabled?

zaiwen

In another posting I already had some discussion about this, but would like to open a new one, since the old one is mixed up other questions.  

I want to enable firewall and at the same time use iptables to open some ports....sounds mission super easy, but it is deceiving easy.....

1. "iptables -F " to clean up everything.
2. system-config-securitylevel, just enable firewall, nothing else. don't add any trusted ports/devices or other port.
3. then use iptables to add rule to open ports. For example, open telnet port 23

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 23 -j ACCEPT

4. service iptables save
5. try to telnet from 192.168.x.x, but failed. ?????

Of course I can use gui to add telnet port 23, but how about if I want to open ports from 1 to 1024?  You don't expect me to add them one by one on the gui, right?

Any reply will be greatly appreciated...I have spent so much time trying to figure it out.....无限绝望中......

cxfcxf

2. system-config-securitylevel, just enable firewall, nothing else. don't add any trusted ports/devices or other port.

ok iptables -F is clean up all the rules
and why do u use  system-config-securitylevel to enable firewall??
iptables -F is just clean all chains but disable the iptables ,the iptables is still working without any rule
then u can add ur rule

first iptables -F
then iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 23 -j ACCEPT
and try telnet
i remember that the default rule after all rules should be deny all (just like cisco's router)

and the ports are opened by service , firewall is just a filter

zaiwen

I understand what you are replying and that works for me, but my point here is:

Can we enable firewall and at the same time use iptables to open some ports
instead of adding trusted ports or other ports on the gui?   

The answer seems "NO".

Now back to your suggestion of using iptables ALONE.  There are still some problems I can't figure out.  If I set the rule for one specific port, it works fine, but if I try to set a range of port, it starts weird.....Please help me....

1. 设定 filter table 的预设政策
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

2. open port 1:1024 (tcp, udp; INPUT, Forward, Oupput)
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 1:1024 -j ACCEPT

3. block1025:65535 (or any very big number). This might not be necessary, since the 预设政策 is already DROP
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 1025:65535 -j DROP

However, this rule sometimes works and sometimes not...I use telnet to test...sometime i can telnet, but sometimes not...it seems dynamic.....very confused..

I noticed in /etc/sysconfig/iptables, these numbers are changing all the time...i don't set those numbers...where do they come from?

:INPUT ACCEPT [489:35793]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6258:473447]
:RH-Firewall-1-INPUT - [0:0]

I also tried to 设定 filter table 的预设政策 as ACCEPT, and then block 1025:65535, but same problem...sometimes it is ok, sometimes not.....

Please help me...thankssssssssssssssssssss

Can anyone give an example of your iptables file, not just one rule.....the whole setting....a global picture....for example, you want to block all ports except 1:1024.....

yongjian

1. make sure there are no other things affecting you cause once you setup iptables, it wouldn't do something like "allow this moment" and "deny another time"...
2. You might want to remove that "-p tcp" and see if that will help

xinkeren

1 -2 -3 换成2-3 -1也许可以