On Wed, 2005-09-28 at 15:14 -0500, Aleksandar Milivojevic wrote:
Quoting James Pifer jep@obrien-pifer.com:
Alright, I figured I would try a simple proof of concept with this. Without setting any policies to drop, meaning all the chains are wide open (all ACCEPT) I wanted to try and do VNC through the port forward.
So I started with this: #iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Ran this: iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4 -j ACCEPT
Well, James, you are missing quite a lot here. First of all, default policy is set to ACCEPT, so everything goes through as if there were no firewall rules at all. Secondly, the examples people sent you implied you already had some other firewall rules needed for them to work (most of them don't work on their own).
I'll attach sample /etc/sysconfig/iptables file with some comments you can use to play with. It something I just typed for you, so might contain a type or two. It's good starting point for building your own firewall rules.
The configuration style is total overkill for your simple problem, however if your configuration becomes complex with hundreds or thousands of rules, it'll pay off to do it this way from the beggining.
You might want to deinstall system-config-securitylevel and system-config-securitylevel-tui since they will blindly rewrite this file. You might also want to remove any other GUI tool for managing firewall rules, since it will either overwrite this file, or it will use its own scripts to replace the rules with whatever that GUI tool thinks configuration should look like. Also, if you use "/etc/init.d/iptables save" (as some folks suggested), it will also overwrite this file with whatever are currently loaded rules (you'll loose all those nice comments I put in for you, and nice looking ordering of them too). To load the file, you might do "/etc/init.d/iptables start". Once the rules are up and running, and you change something in the file, don't use iptables script to reload new version. Use "iptables-restore /etc/sysconfig/iptables". Or your current sessions might hung ;-)
OK, there's the file in attachment.
---- nice job
Aleksandar's custom iptables/firewall rulesets is now open for business... $ 2.00 US per custom rule set ($3.00 for really complicated ones). You could make a small fortune.
;-)
Craig