On Wed, 2005-09-28 at 15:14 -0500, Aleksandar Milivojevic wrote: > Quoting James Pifer <jep at obrien-pifer.com>: > > > Alright, I figured I would try a simple proof of concept with this. > > Without setting any policies to drop, meaning all the chains are wide > > open (all ACCEPT) I wanted to try and do VNC through the port forward. > > > > So I started with this: > > #iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > Ran this: > > iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4 > > -j ACCEPT > > Well, James, you are missing quite a lot here. First of all, default > policy is > set to ACCEPT, so everything goes through as if there were no firewall > rules at > all. Secondly, the examples people sent you implied you already had > some other > firewall rules needed for them to work (most of them don't work on their own). > > I'll attach sample /etc/sysconfig/iptables file with some comments you can use > to play with. It something I just typed for you, so might contain a type or > two. It's good starting point for building your own firewall rules. > > The configuration style is total overkill for your simple problem, however if > your configuration becomes complex with hundreds or thousands of rules, it'll > pay off to do it this way from the beggining. > > You might want to deinstall system-config-securitylevel and > system-config-securitylevel-tui since they will blindly rewrite this > file. You > might also want to remove any other GUI tool for managing firewall > rules, since > it will either overwrite this file, or it will use its own scripts to replace > the rules with whatever that GUI tool thinks configuration should look > like. Also, if you use "/etc/init.d/iptables save" (as some folks > suggested), it will > also overwrite this file with whatever are currently loaded rules > (you'll loose > all those nice comments I put in for you, and nice looking ordering of them > too). To load the file, you might do "/etc/init.d/iptables start". Once the > rules are up and running, and you change something in the file, don't use > iptables script to reload new version. Use "iptables-restore > /etc/sysconfig/iptables". Or your current sessions might hung ;-) > > OK, there's the file in attachment. ---- nice job Aleksandar's custom iptables/firewall rulesets is now open for business... $ 2.00 US per custom rule set ($3.00 for really complicated ones). You could make a small fortune. ;-) Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.