IPTables question

keith smith klsmith2020 at yahoo.com
Tue Jul 5 11:31:52 MST 2011


Thank you for your feedback!!  It was a lot of help!

------------------------

Keith Smith

--- On Fri, 7/1/11, Lisa Kachold <lisakachold at obnosis.com> wrote:

From: Lisa Kachold <lisakachold at obnosis.com>
Subject: Re: IPTables question
To: "Main PLUG discussion list" <plug-discuss at lists.plug.phoenix.az.us>
Date: Friday, July 1, 2011, 5:14 PM

Hi...

On Fri, Jul 1, 2011 at 12:22 PM, Mike Ballon <mike.ballon at gmail.com> wrote:

When listing try iptables -L -n
also you should see a port, ex:
ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           state NEW tcp dpt:22 


or in your case I'm guessing ici is the protocol and you grep ici from /etc/services you'll see port 2200
I would just use the IP on the rule unless you have a reason not to.



On Fri, Jul 1, 2011 at 2:54 PM, keith smith <klsmith2020 at yahoo.com> wrote:


Hi,

I added a rule : iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT

and when I list the iptables I see:  



ACCEPT     tcp  --  24-221-202-36.pools.static.spcsdns.net  anywhere            tcp dpt:ici

Are the below two rules the same?


iptables -A INPUT -p tcp -s 24.221.202.36 --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -s 24-221-202-36.pools.static.spcsdns.net --dport 22 -j ACCEPT


Depending on your DNS settings, yes.  If you use a "hostname" entry in /etc/hosts that conflicts with DNS, you might find a hang.

This is clearly your SWIP'd IP address in a dynamic pool from your upstream utility provider; which is only loaned.  Since SSH requires reverse DNS authentication as part of the RFC, you cannot have mismatched IP to hostname, especially if in your /etc/ssh/sshd_config you have strict checking enabled.


I would ALWAYS use the IP address ONLY in iptables.
 


in other words can I use 24-221-202-36.pools.static.spcsdns.net in place of the IP?


Also I do not see the port when I issue iptables -L ?  How can I sell if the rule applies to a specific port?
An easier way to learn iptables is to use the actual configuration syntax reported via 


# /sbin/iptables-save

You can see the port and each line EXACTLY as entered then. You can pipe to a file:

# /sbin/iptables-save >/tmp/iptables-$date

You can edit that file

# vi /tmp/iptables-$date


You can restore that file after edits

BEWARE of FLUSHING DNS unless you are directly in front of your machine or KNOW WHAT YOU ARE DOING!

#/sbin/iptables-restore </tmp/iptables-$date

Finally you can save that in a persistent state that will write to your startup iptables files.


#/etc/init.d/iptables save

In that way, you don't corrupt your startup configuration.  You always test your config before adding it to a running config.

Use nmap to test your iptables from an external server (even on your local network):




# nmap -P0  24.221.202.36 (or the NAT address 192.168.n.n)
 


Thanks!

------------------------

Keith Smith

-- 
(602) 791-8002  Android

(623) 239-3392 Skype
(623) 688-3392 Google Voice


Eat'N Cookies

















-----Inline Attachment Follows-----

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110705/dffd72e9/attachment.html>


More information about the PLUG-discuss mailing list