On 2/17/07, Robert Spangler lazydog@zoominternet.net wrote:
On Sat February 17 2007 03:11, Indunil Jayasooriya wrote:
I am setting up a firewall on CENTOS 4.4.
I have enabled ICMP to www.google.com
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
traceroute uses by default UDP with port 33434.
While this is true for a starting point, this is not the whole story.
Traceroute starts on this port but every time it sends out a packet the port number is increased automatically. Why? Simple, the TTL is exceeded so traceroute sends out on the next port in numerical order. Thus traceroute needs more then 33434 open there should be a range of ports open. Traceroute does not always start on this port either I have found out. Sometimes it starts on a hight port but only by a few hopes.
I wrote below 2 rules
iptables -A OUTPUT -p udp -d 64.233.189.104 --dport 33434 -j ACCEPT iptables -A INPUT -p udp -s 64.233.189.104 --sport 33434 -j ACCEPT
I have the following ( I do not restrict traceroute destination);
-A OUTPUT -o eth0 -p udp --dport 33200:33500 -m state --state NEW -j ACCEPT
Also you don't need the INPUT statement if you have ESTABLISHED,RELATED at the top of your INPUT chain.
I have included ESTABLISHED,RELATED at the top of your INPUT chain as below
#Allow established,related trafffic to come back #(for OUTPUT traffic to come back) iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
But without an INPUT statament it does not work. BUT for TCP OUTPUT traffice , that will be appilicalbe. But other than tcp (i.e UPD and ICMP ) I will have to include a INPUT staement.
A few OUTPUT rules that I need INPUT statemet are give below. (not TCP)
#UDP iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
#ICMP (for ping www.google.com)
iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT
And this is for TCP ( it does not nedd a INPUT satatment .it works fine)
iptables -A OUTPUT -p tcp -o eth0 --dport 22 -j ACCEPT
PLs expalin, why?
Then I tried as below
[snip]
But Still the same.
WHY?
I placing my money on the port settings
IF my rules are wrong can you rectify it ?
See above.
--
Regards Robert
Smile... it increases your face value! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos