Thank you for your feedback!! It was a lot of help!
------------------------
Keith Smith
--- On Fri, 7/1/11, Lisa Kachold <[email protected]> wrote:
From: Lisa Kachold <[email protected]>
Subject: Re: IPTables question
To: "Main PLUG discussion list" <[email protected]>
Date: Friday, July 1, 2011, 5:14 PM
Hi...
On Fri, Jul 1, 2011 at 12:22 PM, Mike Ballon <[email protected]> wrote:
When listing try iptables -L -n
also you should see a port, ex:
ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 state NEW tcp
dpt:22
or in your case I'm guessing ici is the protocol and you grep ici from
/etc/services you'll see port 2200
I would just use the IP on the rule unless you have a reason not to.
On Fri, Jul 1, 2011 at 2:54 PM, keith smith <[email protected]> wrote:
Hi,
I added a rule : iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT
and when I list the iptables I see:
ACCEPT tcp -- 24-221-202-36.pools.static.spcsdns.net anywhere
tcp dpt:ici
Are the below two rules the same?
iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 24-221-202-36.pools.static.spcsdns.net --dport 22
-j ACCEPT
Depending on your DNS settings, yes. If you use a "hostname" entry in
/etc/hosts that conflicts with DNS, you might find a hang.
This is clearly your SWIP'd IP address in a dynamic pool from your upstream
utility provider; which is only loaned. Since SSH requires reverse DNS
authentication as part of the RFC, you cannot have mismatched IP to hostname,
especially if in your /etc/ssh/sshd_config you have strict checking enabled.
I would ALWAYS use the IP address ONLY in iptables.
in other words can I use 24-221-202-36.pools.static.spcsdns.net in place of the
IP?
Also I do not see the port when I issue iptables -L ? How can I sell if the
rule applies to a specific port?
An easier way to learn iptables is to use the actual configuration syntax
reported via
# /sbin/iptables-save
You can see the port and each line EXACTLY as entered then. You can pipe to a
file:
# /sbin/iptables-save >/tmp/iptables-$date
You can edit that file
# vi /tmp/iptables-$date
You can restore that file after edits
BEWARE of FLUSHING DNS unless you are directly in front of your machine or KNOW
WHAT YOU ARE DOING!
#/sbin/iptables-restore </tmp/iptables-$date
Finally you can save that in a persistent state that will write to your startup
iptables files.
#/etc/init.d/iptables save
In that way, you don't corrupt your startup configuration. You always test
your config before adding it to a running config.
Use nmap to test your iptables from an external server (even on your local
network):
# nmap -P0 24.221.202.36 (or the NAT address 192.168.n.n)
Thanks!
------------------------
Keith Smith
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
Eat'N Cookies
-----Inline Attachment Follows-----
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
