Hi...
On Fri, Jul 1, 2011 at 12:22 PM, Mike Ballon <
mike.ballon@gmail.com> wrote:
> When listing try iptables -L -n
>
> also you should see a port, ex:
>
> ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 state NEW tcp
> dpt:22
>
> or in your case I'm guessing ici is the protocol and you grep ici from
> /etc/services you'll see port 2200
>
> I would just use the IP on the rule unless you have a reason not to.
>
>
> On Fri, Jul 1, 2011 at 2:54 PM, keith smith <klsmith2020@yahoo.com> wrote:
>
>> Hi,
>>
>> I added a rule : iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j
>> ACCEPT
>>
>> and when I list the iptables I see:
>>
>> ACCEPT tcp -- 24-221-202-36.pools.static.spcsdns.net
>> anywhere tcp dpt:ici
>>
>> Are the below two rules the same?
>>
>> iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT
>> iptables -A INPUT -p tcp -s 24-221-202-36.pools.static.spcsdns.net--dport 22 -j ACCEPT
>>
>> Depending on your DNS settings, yes. If you use a "hostname" entry in
/etc/hosts that conflicts with DNS, you might find a hang.
This is clearly your SWIP'd IP address in a dynamic pool from your upstream
utility provider; which is only loaned. Since SSH requires reverse DNS
authentication as part of the RFC, you cannot have mismatched IP to
hostname, especially if in your /etc/ssh/sshd_config you have strict
checking enabled.
I would ALWAYS use the IP address ONLY in iptables.
> in other words can I use 24-221-202-36.pools.static.spcsdns.net in place
>> of the IP?
>>
>> Also I do not see the port when I issue iptables -L ? How can I sell if
>> the rule applies to a specific port?
>>
> An easier way to learn iptables is to use the actual configuration syntax
reported via
# /sbin/iptables-save
You can see the port and each line EXACTLY as entered then. You can pipe to
a file:
# /sbin/iptables-save >/tmp/iptables-$date
You can edit that file
# vi /tmp/iptables-$date
You can restore that file after edits
BEWARE of FLUSHING DNS unless you are directly in front of your machine or
KNOW WHAT YOU ARE DOING!
#/sbin/iptables-restore </tmp/iptables-$date
Finally you can save that in a persistent state that will write to your
startup iptables files.
#/etc/init.d/iptables save
In that way, you don't corrupt your startup configuration. You always test
your config before adding it to a running config.
Use nmap to test your iptables from an external server (even on your local
network):
# nmap -P0 24.221.202.36 (or the NAT address 192.168.n.n)
>
>> Thanks!
>>
>> ------------------------
>> Keith Smith
>>
>
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Eat'N Cookies <
http://www.securitytube.net/video/1991>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss