[CentOS] Port Forwarding woes

Tue Apr 28 08:22:44 UTC 2009
D Tucny <d at tucny.com>

2009/4/28 Filipe Brandenburger <filbranden at gmail.com>

> Hi,
>
> On Mon, Apr 27, 2009 at 16:01, Bo Lynch <blynch at ameliaschools.com> wrote:
> > I think I found the culprit but not sure if by taking this out it will be
> > a risk. When I remove this statement things work....
> > iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
> >
> > If I drop the NEW it works. Should I be concerned from I security stand
> > point?
>
> The point of that rule is to drop anything you did not handle before.
> That rule is supposed to be the last one in the list of rules.
>
> The best solution in your case is probably to move your other rules
> above that one.
>

Indeed, that or using iptables -I to insert the other rules... or better
yet, do as you say and put the new rules above the DROP and rather than
using a script, use /etc/sysconfig/iptables for the configuration and use
iptables-restore </etc/sysconfig/iptables to apply changes very fast...

What's odd though is that a DROP wouldn't result in a connection refused
error, you'd need a REJECT for that, with DROP it would just be a timeout...

d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090428/9ae7f964/attachment-0005.html>