Fwd: [CentOS] HOW to enable traceroute with IPTABLES
Indunil Jayasooriya
indunil75 at gmail.com
Mon Feb 19 07:07:10 UTC 2007
On 2/19/07, Alvin Chang <alvin.chang at gmail.com> wrote:
>
> On 19/02/07, Indunil Jayasooriya <indunil75 at gmail.com> wrote:
> > WHY?
> STOP USING CAPITLS, IT'S CONSIDERED SHOTING!
instaed of CAPITALS, I used simple letters as below.
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state
established,related -j ACCEPT
But I can not use -A INPUT as -a input, then it does not work.
Anyway, I would like to get more help as to this.
I want to know that does "-m state --state established,related -j ACCEPT"
work for all tcp,udp and icmp protoclos ? or only for tcp. (for tcp. it
works)
I am testing below rule. It is udp.
iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state --state NEW -j ACCEPT
when I have below rule for the above, it works. If I remove it, it will not.
WHY?
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
pls note that I have already added below rule
iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state
established,related -j ACCEPT
Before you ask anything about IPtables, print out the results from
> iptables -L. It could very well be that the order of your rules are
> MESSED UP!
pls see below
[root at firebox rc.d]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere firebox.itabspl.com state
RELATED,ESTABLISHED
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- anywhere firebox.itabspl.com tcp dpt:ssh
ACCEPT tcp -- anywhere 192.168.102.253 tcp dpt:ssh
ACCEPT icmp -- firebox.itabspl.com anywhere
ACCEPT icmp -- 192.168.102.0/24 192.168.102.253
ACCEPT icmp -- 66.94.234.13 anywhere
ACCEPT icmp -- 64.233.189.104 anywhere
ACCEPT icmp -- 203.143.4.1 anywhere
ACCEPT udp -- anywhere anywhere udp
spts:traceroute:33523
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
ACCEPT icmp -- anywhere anywhere icmp type 30
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- 192.168.102.0/24 anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.102.0/24 udp spt:domain
ACCEPT udp -- 192.168.100.3 anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.100.3 udp spt:domain
ACCEPT tcp -- 192.168.102.25 anywhere multiport
dports ssh,smtp,domain,http,https,pop3,imap
ACCEPT tcp -- 192.168.102.0/24 anywhere multiport
dports http,https
ACCEPT tcp -- 192.168.100.3 anywhere multiport
dports smtp,http,https
ACCEPT icmp -- 192.168.102.25 64.233.189.104
ACCEPT icmp -- 64.233.189.104 192.168.102.25
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:ssh
ACCEPT udp -- firebox.itabspl.com anywhere udp dpt:domain
state NEW
ACCEPT tcp -- firebox.itabspl.com anywhere tcp dpt:domain
ACCEPT tcp -- firebox.itabspl.com anywhere tcp spt:ssh
ACCEPT tcp -- 192.168.100.253 anywhere tcp spt:ssh
ACCEPT tcp -- 192.168.102.253 anywhere tcp spt:ssh
ACCEPT icmp -- anywhere firebox.itabspl.com
ACCEPT icmp -- 192.168.102.253 192.168.102.0/24
ACCEPT icmp -- anywhere 66.94.234.13
ACCEPT icmp -- anywhere 64.233.189.104
ACCEPT udp -- anywhere anywhere udp
dpts:traceroute:33523
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
parameter-problem
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
ACCEPT icmp -- anywhere anywhere icmp type 30
ACCEPT icmp -- anywhere 203.143.4.1
--
> Alvin Chang Yu-Ming
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070219/1b6a3ed2/attachment.html>
More information about the CentOS
mailing list