/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Where did you place the rule? Remember, ipchains stops searching as soon as it
finds a match. So if it hits the "reject" rule before it gets to your "accept"
rule...
Try doing an "ipchains -n --line-numbers -L" and see where rule (#22) is and
what it does. Then search down the list to find your "accept" rule.
- Gary
Carl Engstrom wrote:
>
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> /* ALSO: Don't quote this header. It makes you look lame :-) */
>
> I tried the following and got an error
>
> suggested rule:
>
> /sbin/ipchains -A input --dport 7001 -j ACCEPT
>
> Error result:
>
> /sbin/ipchains: can only specify ports for icmp, tcp or udp
>
> The following is what I am seeing in my log files. (note that there
> rejections apply to port 27015) another port I'm trying to use.
>
> Dec 27 16:42:30 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
> 66.26.
> 68.64:1029 24.15.142.51:27015 L=38 S=0x00 I=13799 F=0x0000 T=111 (#22)
> Dec 27 16:42:32 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
> 65.26.
> 92.118:2418 24.15.142.51:27015 L=40 S=0x00 I=5904 F=0x0000 T=113 (#21)
> Dec 27 16:42:33 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
> 65.26.
> 92.118:2418 24.15.142.51:27015 L=40 S=0x00 I=21521 F=0x0000 T=113 (#21)
> Dec 27 16:42:54 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
> 66.24.
> 18.38:2043 24.15.142.51:27015 L=37 S=0x00 I=1545 F=0x0000 T=102 (#22)
> Dec 27 16:42:56 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
> 66.24.
> 18.38:2043 24.15.142.51:27015 L=40 S=0x00 I=17930 F=0x0000 T=102 (#22)
> Dec 27 16:42:58 CX203722-A kernel: Packet log: input REJECT eth0 PROTO=17
> 66.24.
> 18.38:2043 24.15.142.51:27015 L=40 S=0x00 I=24331 F=0x0000 T=102 (#22)
>
> I have also tried just adding the following rule manually
>
> /sbin/ipchains -A input -p udp --dport 27015 -j ACCEPT
>
> and
>
> /sbin/ipchains -A input -p udp -i eth0 -d 24.15.142.51 27015 -j ACCEPT
>
> they were accepted without error, but they didn't seem to stop the
> rejections.
>
> thanks
>
> Red Hat 7.0, trinityOS strong firewall ruleset, kernel 2.2.16, ipchains
> firewall
>
> Carl Engstrom
>
> ----- Original Message -----
> From: "raf" <[EMAIL PROTECTED]>
> To: "ipmasquerading" <[EMAIL PROTECTED]>
> Sent: Tuesday, December 26, 2000 8:12 PM
> Subject: Re: [Masq] Opening up port in the firewall
>
> > /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> > /* ALSO: Don't quote this header. It makes you look lame :-) */
> >
> >
> > Carl Engstrom wrote:
> >
> > > I'm sorry to ask this simple question, but I'm wondering if someone can
> give
> > > me the simple IPCHAINS rule that would open up a hole in my IPCHAINS
> firewall
> > > to allow traffic on certain port.
> > >
> > > Basically, I just need to:
> > >
> > > 1) Open up port 7001 and 7003-7005 for UDP and TCP traffic to and from
> my
> > > firewall server, from everywhere inside and out. I know I SHOULD be
> port
> > > forwarding but I am NOT. My apps are running on my firewall server.
> >
> > ipchains -A input --dport 7001 -j ACCEPT
> > ipchains -A input --dport 7003:7005 -j ACCEPT
> > ipchains -A output --dport 7001 -j ACCEPT
> > ipchains -A output --dport 7003:7005 -j ACCEPT
> >
> > > 2) I would also like a handy firewall opener that I could use to
> manually
> > > bring down the firewall when I need to...something that would basically
> flush
> > > all of the old rule and start masquerading without stopping any traffic.
> >
> > #!/bin/sh
> > ipchains -X
> > ipchains -P input ACCEPT
> > ipchains -P output ACCEPT
> > ipchains -P forward DENY
> > ipchains -A forward -i $extif -j MASQ
> >
> > where $extif = your external interface device name
> >
> > this may or may not break existing connections (probably not)
> > but it's the closest you'll get to what you want. if you normal
> > firewall script is masquerading and that is the only thing that
> > happens of the forward chain, you might get away with this instead.
> >
> > #!/bin/sh
> > ipchains -F input
> > ipchains -F output
> >
> > raf
> >
> > _______________________________________________
> > Masq maillist - [EMAIL PROTECTED]
> > Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> > THIS INCLUDES UNSUBSCRIBING!
> > or email to [EMAIL PROTECTED]
> >
> > PLEASE read the HOWTO and search the archives before posting.
> > You can start your search at http://www.indyramp.com/masq/
> > Please keep general linux/unix/pc/internet questions off the list.
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> THIS INCLUDES UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
--
----------------------------------------------------------------------
Edison Information Technologies www.EdisonInfo.com
P.O. Box 554 [EMAIL PROTECTED]
Milan, OH 44846-0554 419.499.7040
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
