> My conf looks like this: > > # Generated by iptables-save v1.2.7a on Sun Jul 13 21:22:53 2003 > *nat > :PREROUTING ACCEPT [38:2291] > :POSTROUTING ACCEPT [10:1360] > :OUTPUT ACCEPT [10:1360] > COMMIT > # Completed on Sun Jul 13 21:22:53 2003 > # Generated by iptables-save v1.2.7a on Sun Jul 13 21:22:53 2003 > *mangle > :PREROUTING ACCEPT [1276:94773] > :INPUT ACCEPT [1258:93117] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1849:510779] > :POSTROUTING ACCEPT [1850:510857] > COMMIT > # Completed on Sun Jul 13 21:22:53 2003 > # Generated by iptables-save v1.2.7a on Sun Jul 13 21:22:53 2003 > *filter > :FORWARD ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :VNC - [0:0] > # Deny NetBios TCP > -A INPUT -p tcp -m tcp -m state ! -s 80.242.234.70 --dport 130:140 --state > NEW,INVALID -j DROP > # Deny NetBios TCP > -A INPUT -p udp -m udp -m state ! -s 80.242.234.70 --dport 130:140 --state > NEW,INVALID -j DROP > # Webmin TCP > -A INPUT -p tcp -m tcp -m state -s 80.242.234.70 --dport 12000 --state > NEW,INVALID -j ACCEPT > # Webmin UDP > -A INPUT -p udp -m udp -m state -s 80.242.234.70 --dport 12000 --state > NEW,INVALID -j ACCEPT > # X11 TCP > -A INPUT -p tcp -m tcp -m state ! -s 127.0.0.1 --dport 6001 --state > NEW,INVALID -j DROP > # X11 UDP > -A INPUT -p udp -m udp -m state ! -s 127.0.0.1 --dport 6001 --state > NEW,INVALID -j DROP > # X11 TCP > -A INPUT -p tcp -m tcp -m state ! -s 127.0.0.1 --dport 6000 --state > NEW,INVALID -j DROP > # X11 UDP > -A INPUT -p udp -m udp -m state ! -s 127.0.0.1 --dport 6000 --state > NEW,INVALID -j DROP > # RPC TCP > -A INPUT -p tcp -m tcp -m state ! -s 127.0.0.1 --dport 111 --state > NEW,INVALID -j DROP > # RPC UDP > -A INPUT -p udp -m udp -m state ! -s 127.0.0.1 --dport 111 --state > NEW,INVALID -j DROP > # VNC TCP > -A INPUT -p tcp -m tcp --dport 5801 > # VNC UDP > -A INPUT -p udp -m udp -m state ! -s 127.0.0.1 --dport 5901 --state > NEW,INVALID > # SSH TCP > -A INPUT -p tcp -m tcp -m state ! -s 80.242.234.70 --dport 22 --state > NEW,INVALID -j DROP > # SSH UDP > -A INPUT -p udp -m udp -m state ! -s 80.242.234.70 --dport 22 --state > NEW,INVALID -j DROP > # MYSQL TCP > -A INPUT -p tcp -m tcp -m state ! -s 127.0.0.1 --dport 3306 --state > NEW,INVALID -j DROP > # MYSQL UDP > -A INPUT -p udp -m udp -m state ! -s 127.0.0.1 --dport 3306 --state > NEW,INVALID -j DROP > # Webmin TCP > -A INPUT -p tcp -m tcp -m state -s 62.131.19.121 --dport 12000 --state > NEW,INVALID -j ACCEPT > # Webmin UDP > -A INPUT -p udp -m udp -m state -s 62.131.19.121 --dport 12000 --state > NEW,INVALID -j ACCEPT > # SWAT TCP > -A INPUT -p tcp -m tcp -m state ! -s 127.0.0.1 --dport 901 --state > NEW,INVALID -j DROP > # VNC 127.0.0.1 > -A VNC -p tcp -m tcp -m state ! -s 127.0.0.1 --sport 5801 --state > NEW,INVALID -j DROP > # VNC 213.132.174.75 > -A VNC -p tcp -m tcp -m state ! -s 213.132.174.75 --sport 5801 --state > NEW,INVALID -j DROP > # VNC 62.131.17.192 > -A VNC -p tcp -m tcp -m state ! -s 62.131.17.192 --sport 5801 --state > NEW,INVALID -j DROP > # VNC 80.242.234.70 > -A VNC -p tcp -m tcp -m state -s 80.242.234.70 --sport 5801 --state > NEW,INVALID -j DROP > # VNC 62.131.19.121 > -A VNC -p tcp -m tcp -m state -s 62.131.19.121 --sport 5801 --state > NEW,INVALID -j DROP > # SWAT UDP > -A INPUT -p udp -m udp -m state ! -s 127.0.0.1 --dport 901 --state > NEW,INVALID -j DROP > # ICMP > -A INPUT -p icmp -j DROP > COMMIT > # Completed on Sun Jul 13 21:22:53 2003 >
Please reply to the list, not to me personally. Thanks! Okay, you're doing a bunch of stuff with which I am unfamiliar (especially that --state NEW,INVALID stuff), but there are a couple of things that I think could help you... (1) You seem to have your firewall set to accept anything that you don't DROP. Bad idea, typically. It's much better to have specific rules to allow things you want in, and then deny everything else. (2) If I recall correctly, Webmin uses port 10000, not 12000, which could be the reason for the problem that you originally asked about. Let me share with you the /etc/sysconfig/iptables I have set up on one of my machines, it may help you: :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 53 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT COMMIT I'm not an expert (yet) at iptables, but you can see that I'm specifically allowing incoming traffic for http (port 80), ssh (port 22), dns query replies (udp port 53), and dhcp (67/68). I also allow anything from the loopback device (lo), as that's how many processes work internal to linux. The next two lines flatly reject anything else. Of course, I could use DROP instead of REJECT, but I try to be a good internet neighbor. :) HTH, Ben -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
