Hi... On Fri, Jul 1, 2011 at 12:22 PM, Mike Ballon <[email protected]> wrote:
> When listing try iptables -L -n > > also you should see a port, ex: > > ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 state NEW tcp > dpt:22 > > or in your case I'm guessing ici is the protocol and you grep ici from > /etc/services you'll see port 2200 > > I would just use the IP on the rule unless you have a reason not to. > > > On Fri, Jul 1, 2011 at 2:54 PM, keith smith <[email protected]> wrote: > >> Hi, >> >> I added a rule : iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j >> ACCEPT >> >> and when I list the iptables I see: >> >> ACCEPT tcp -- 24-221-202-36.pools.static.spcsdns.net >> anywhere tcp dpt:ici >> >> Are the below two rules the same? >> >> iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT >> iptables -A INPUT -p tcp -s 24-221-202-36.pools.static.spcsdns.net--dport 22 >> -j ACCEPT >> >> Depending on your DNS settings, yes. If you use a "hostname" entry in /etc/hosts that conflicts with DNS, you might find a hang. This is clearly your SWIP'd IP address in a dynamic pool from your upstream utility provider; which is only loaned. Since SSH requires reverse DNS authentication as part of the RFC, you cannot have mismatched IP to hostname, especially if in your /etc/ssh/sshd_config you have strict checking enabled. I would ALWAYS use the IP address ONLY in iptables. > in other words can I use 24-221-202-36.pools.static.spcsdns.net in place >> of the IP? >> >> Also I do not see the port when I issue iptables -L ? How can I sell if >> the rule applies to a specific port? >> > An easier way to learn iptables is to use the actual configuration syntax reported via # /sbin/iptables-save You can see the port and each line EXACTLY as entered then. You can pipe to a file: # /sbin/iptables-save >/tmp/iptables-$date You can edit that file # vi /tmp/iptables-$date You can restore that file after edits BEWARE of FLUSHING DNS unless you are directly in front of your machine or KNOW WHAT YOU ARE DOING! #/sbin/iptables-restore </tmp/iptables-$date Finally you can save that in a persistent state that will write to your startup iptables files. #/etc/init.d/iptables save In that way, you don't corrupt your startup configuration. You always test your config before adding it to a running config. Use nmap to test your iptables from an external server (even on your local network): # nmap -P0 24.221.202.36 (or the NAT address 192.168.n.n) > >> Thanks! >> >> ------------------------ >> Keith Smith >> > -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** Eat'N Cookies <http://www.securitytube.net/video/1991>
--------------------------------------------------- PLUG-discuss mailing list - [email protected] To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
