/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
I tried the following and got an error
suggested rule:
/sbin/ipchains -A input --dport 7001 -j ACCEPT
Error result:
/sbin/ipchains: can only specify ports for icmp, tcp or udp
The following is what I am seeing in my log files. (note that there
rejections apply to port 27015) another port I'm trying to use.
Dec 27 16:42:30 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
66.26.
68.64:1029 24.15.142.51:27015 L=38 S=0x00 I=13799 F=0x0000 T=111 (#22)
Dec 27 16:42:32 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
65.26.
92.118:2418 24.15.142.51:27015 L=40 S=0x00 I=5904 F=0x0000 T=113 (#21)
Dec 27 16:42:33 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
65.26.
92.118:2418 24.15.142.51:27015 L=40 S=0x00 I=21521 F=0x0000 T=113 (#21)
Dec 27 16:42:54 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
66.24.
18.38:2043 24.15.142.51:27015 L=37 S=0x00 I=1545 F=0x0000 T=102 (#22)
Dec 27 16:42:56 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
66.24.
18.38:2043 24.15.142.51:27015 L=40 S=0x00 I=17930 F=0x0000 T=102 (#22)
Dec 27 16:42:58 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
66.24.
18.38:2043 24.15.142.51:27015 L=40 S=0x00 I=24331 F=0x0000 T=102 (#22)
I have also tried just adding the following rule manually
/sbin/ipchains -A input -p udp --dport 27015 -j ACCEPT
and
/sbin/ipchains -A input -p udp -i eth0 -d 24.15.142.51 27015 -j ACCEPT
they were accepted without error, but they didn't seem to stop the
rejections.
thanks
Red Hat 7.0, trinityOS strong firewall ruleset, kernel 2.2.16, ipchains
firewall
Carl Engstrom
----- Original Message -----
From: "raf" <[EMAIL PROTECTED]>
To: "ipmasquerading" <[EMAIL PROTECTED]>
Sent: Tuesday, December 26, 2000 8:12 PM
Subject: Re: [Masq] Opening up port in the firewall
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> /* ALSO: Don't quote this header. It makes you look lame :-) */
>
>
> Carl Engstrom wrote:
>
> > I'm sorry to ask this simple question, but I'm wondering if someone can
give
> > me the simple IPCHAINS rule that would open up a hole in my IPCHAINS
firewall
> > to allow traffic on certain port.
> >
> > Basically, I just need to:
> >
> > 1) Open up port 7001 and 7003-7005 for UDP and TCP traffic to and from
my
> > firewall server, from everywhere inside and out. I know I SHOULD be
port
> > forwarding but I am NOT. My apps are running on my firewall server.
>
> ipchains -A input --dport 7001 -j ACCEPT
> ipchains -A input --dport 7003:7005 -j ACCEPT
> ipchains -A output --dport 7001 -j ACCEPT
> ipchains -A output --dport 7003:7005 -j ACCEPT
>
> > 2) I would also like a handy firewall opener that I could use to
manually
> > bring down the firewall when I need to...something that would basically
flush
> > all of the old rule and start masquerading without stopping any traffic.
>
> #!/bin/sh
> ipchains -X
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT
> ipchains -P forward DENY
> ipchains -A forward -i $extif -j MASQ
>
> where $extif = your external interface device name
>
> this may or may not break existing connections (probably not)
> but it's the closest you'll get to what you want. if you normal
> firewall script is masquerading and that is the only thing that
> happens of the forward chain, you might get away with this instead.
>
> #!/bin/sh
> ipchains -F input
> ipchains -F output
>
> raf
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> THIS INCLUDES UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
