On 2/17/07, Robert Spangler <lazydog at zoominternet.net> wrote: > > On Sat February 17 2007 03:11, Indunil Jayasooriya wrote: > > > > I am setting up a firewall on CENTOS 4.4. > > > > > > > > > I have enabled ICMP to www.google.com > > > > > > iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT > > > iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT > > > > traceroute uses by default UDP with port 33434. > > While this is true for a starting point, this is not the whole story. > > Traceroute starts on this port but every time it sends out a packet the > port > number is increased automatically. Why? Simple, the TTL is exceeded so > traceroute sends out on the next port in numerical order. Thus traceroute > needs more then 33434 open there should be a range of ports > open. Traceroute > does not always start on this port either I have found out. Sometimes it > starts on a hight port but only by a few hopes. > > > I wrote below 2 rules > > > > iptables -A OUTPUT -p udp -d 64.233.189.104 --dport 33434 -j ACCEPT > > iptables -A INPUT -p udp -s 64.233.189.104 --sport 33434 -j ACCEPT > > I have the following ( I do not restrict traceroute destination); > > -A OUTPUT -o eth0 -p udp --dport 33200:33500 -m state --state NEW -j > ACCEPT > > Also you don't need the INPUT statement if you have ESTABLISHED,RELATED at > the > top of your INPUT chain. I have included ESTABLISHED,RELATED at the top of your INPUT chain as below #Allow established,related trafffic to come back #(for OUTPUT traffic to come back) iptables -A INPUT -i eth0 -d 192.168.101.60 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT But without an INPUT statament it does not work. BUT for TCP OUTPUT traffice , that will be appilicalbe. But other than tcp (i.e UPD and ICMP ) I will have to include a INPUT staement. A few OUTPUT rules that I need INPUT statemet are give below. (not TCP) #UDP iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT #ICMP (for ping www.google.com) iptables -A OUTPUT -p icmp -d 64.233.189.104 -j ACCEPT iptables -A INPUT -p icmp -s 64.233.189.104 -j ACCEPT And this is for TCP ( it does not nedd a INPUT satatment .it works fine) iptables -A OUTPUT -p tcp -o eth0 --dport 22 -j ACCEPT PLs expalin, why? > Then I tried as below > > [snip] > > > But Still the same. > > > > WHY? > > I placing my money on the port settings > > > IF my rules are wrong can you rectify it ? > > See above. > > > -- > > Regards > Robert > > Smile... it increases your face value! > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070219/f2aca7e8/attachment-0005.html>