IPTables question
keith smith
klsmith2020 at yahoo.com
Tue Jul 5 11:31:52 MST 2011
Thank you for your feedback!! It was a lot of help!
------------------------
Keith Smith
--- On Fri, 7/1/11, Lisa Kachold <lisakachold at obnosis.com> wrote:
From: Lisa Kachold <lisakachold at obnosis.com>
Subject: Re: IPTables question
To: "Main PLUG discussion list" <plug-discuss at lists.plug.phoenix.az.us>
Date: Friday, July 1, 2011, 5:14 PM
Hi...
On Fri, Jul 1, 2011 at 12:22 PM, Mike Ballon <mike.ballon at gmail.com> wrote:
When listing try iptables -L -n
also you should see a port, ex:
ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 state NEW tcp dpt:22
or in your case I'm guessing ici is the protocol and you grep ici from /etc/services you'll see port 2200
I would just use the IP on the rule unless you have a reason not to.
On Fri, Jul 1, 2011 at 2:54 PM, keith smith <klsmith2020 at yahoo.com> wrote:
Hi,
I added a rule : iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT
and when I list the iptables I see:
ACCEPT tcp -- 24-221-202-36.pools.static.spcsdns.net anywhere tcp dpt:ici
Are the below two rules the same?
iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 24-221-202-36.pools.static.spcsdns.net --dport 22 -j ACCEPT
Depending on your DNS settings, yes. If you use a "hostname" entry in /etc/hosts that conflicts with DNS, you might find a hang.
This is clearly your SWIP'd IP address in a dynamic pool from your upstream utility provider; which is only loaned. Since SSH requires reverse DNS authentication as part of the RFC, you cannot have mismatched IP to hostname, especially if in your /etc/ssh/sshd_config you have strict checking enabled.
I would ALWAYS use the IP address ONLY in iptables.
in other words can I use 24-221-202-36.pools.static.spcsdns.net in place of the IP?
Also I do not see the port when I issue iptables -L ? How can I sell if the rule applies to a specific port?
An easier way to learn iptables is to use the actual configuration syntax reported via
# /sbin/iptables-save
You can see the port and each line EXACTLY as entered then. You can pipe to a file:
# /sbin/iptables-save >/tmp/iptables-$date
You can edit that file
# vi /tmp/iptables-$date
You can restore that file after edits
BEWARE of FLUSHING DNS unless you are directly in front of your machine or KNOW WHAT YOU ARE DOING!
#/sbin/iptables-restore </tmp/iptables-$date
Finally you can save that in a persistent state that will write to your startup iptables files.
#/etc/init.d/iptables save
In that way, you don't corrupt your startup configuration. You always test your config before adding it to a running config.
Use nmap to test your iptables from an external server (even on your local network):
# nmap -P0 24.221.202.36 (or the NAT address 192.168.n.n)
Thanks!
------------------------
Keith Smith
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
Eat'N Cookies
-----Inline Attachment Follows-----
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110705/dffd72e9/attachment.html>
More information about the PLUG-discuss
mailing list