Sponsored Content
Full Discussion: Help with iptables
Top Forums UNIX for Dummies Questions & Answers Help with iptables Post 302755823 by samnyc on Monday 14th of January 2013 01:15:07 PM
Old 01-14-2013
Help with iptables

Hi, I just build a Linux server, I said yes to enable the firewall. I only choose SSH conneciton. When I check the iptables. I see all of this (see below). I want to reject every thing only allow SSH from subnet 192.168.1.xx. Can you advise, how to do.

Code:
 
 
Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
 1043 3332K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
   15  2978 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
  540 44542 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
 1532  142K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 

10 More Discussions You Might Find Interesting

1. IP Networking

IPtables

Hey guys, I have just started using IP tables and was wondering if anyone could direct me to any good online resources as I am totally new to this. Thanks. (1 Reply)
Discussion started by: 182x
1 Replies

2. IP Networking

Need help with iptables

Trying to create a whitelist to limit bandwidth. My sync speed is 1536/256 kbps. Simple rules in order: 1. Do not limit (or set to 1536/256) MAC 00:00:00:00:00 (computer is in 192.168.1.0/24). 2. Do not limit (or set to 1536/256) MAC 00:00:00:00:01 (computer is in 192.168.1.0/24). 3. Do not... (1 Reply)
Discussion started by: kripz
1 Replies

3. IP Networking

Iptables

Thanks in advance I have to remove ip_tables_name from /proc/net/... i was trying to do so and getting the following error cmd : rm ip_tables_names error : rm: remove regular empty file `ip_tables_names'? y rm: cannot remove `ip_tables_names': Operation not permitted (4 Replies)
Discussion started by: sudeepiit
4 Replies

4. IP Networking

iptables assistance

I have a CentOS 5.2 (10.20.21.73) machine that I need help with configuring iptables. According to documentation I believe this line should allow all communication between my machine and another machine (other machine has no firewall) -A RH-Firewall-1-INPUT -s 10.20.21.12 -j ACCEPT #... (1 Reply)
Discussion started by: beaker457
1 Replies

5. IP Networking

Iptables

What should be the iptables rule so that only the subnet 64.61.11.224/255.255.255.248 may access the mysql port 3306 (1 Reply)
Discussion started by: proactiveaditya
1 Replies

6. IP Networking

iptables changes

Hello We have one linux machine in the office which happens to be an important firewall. I just know the basics and need to make one change Essentially it is forward mysql traffic to another internal machine. This is the original rule (forward to 192.20.0.17) which is working ... (0 Replies)
Discussion started by: rina5392
0 Replies

7. UNIX for Dummies Questions & Answers

help with iptables

Hi, On the IPTABLES, I did iptables --flush. I want to start fresh. Now I only want two things. Allow one ip address to this server. Allow port 443 as incoming from every where. Please advice how to do this. This is what I did so for. iptables -I INPUT -i eth0 -s 1.2.3.4 -j ACCEPT... (5 Replies)
Discussion started by: samnyc
5 Replies

8. IP Networking

Help with iptables

photo... (1 Reply)
Discussion started by: beerpong1
1 Replies

9. Red Hat

iptables help for port 80

Hi I enable the IPtables but port 80 was not working. Below is my active configuration (10 Replies)
Discussion started by: ranjancom2000
10 Replies

10. Ubuntu

iptables

Hi I need help with an iptables configuration, this is what I have server A Server B A and B are using different gateways i am sending port 22 from A to B, I see the packages coming in B but B is not sending the package to internet. please give me some examples. (0 Replies)
Discussion started by: lmartinez073
0 Replies
FIREWALLD.ZONE(5)						  firewalld.zone						 FIREWALLD.ZONE(5)

NAME
firewalld.zone - firewalld zone configuration files SYNOPSIS
/etc/firewalld/zones/zone.xml /usr/lib/firewalld/zones/zone.xml DESCRIPTION
A firewalld zone configuration file contains the information for a zone. These are the zone description, services, ports, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format. The file name has to be zone_name.xml where length of zone_name is currently limited to 17 chars. This is the structure of a zone configuration file: <?xml version="1.0" encoding="utf-8"?> <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]> [ <short>short description</short> ] [ <description>description</description> ] [ <interface name="string"/> ] [ <source address="address[/mask]"/> ] [ <service name="string"/> ] [ <port port="portid[-portid]" protocol="tcp|udp"/> ] [ <icmp-block name="string"/> ] [ <masquerade/> ] [ <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="ipv4address"]/> ] [ <rule [family="ipv4|ipv6"]> [ <source address="address[/mask]" [invert="bool"]/> ] [ <destination address="address[/mask]" [invert="bool"]/> ] [ <service name="string"/> | <port port="portid[-portid]" protocol="tcp|udp"/> | <protocol value="protocol"/> | <icmp-block name="icmptype"/> | <masquerade/> | <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/> ] [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ] [ <audit> [<limit value="rate/duration"/>] </audit> ] [ <accept/> | <reject [type="rejecttype"]/> | <drop/> ] </rule> ] </zone> The config can contain these tags and attributes. Some of them are mandatory, others optional. zone The mandatory zone start and end tag defines the zone. This tag can only be used once in a zone configuration file. There are optional attributes for zones: version="string" To give the zone a version. target="ACCEPT|%%REJECT%%|DROP" Can be used to accept, reject or drop every packet. The ACCEPT target is used in the trusted zone, every packet will be accepted. The %%REJECT%% target is used in the block zone, every packet will be rejected with the default firewalld reject type. The DROP target is used in the drop zone, every packet will be dropped. The default target is {chain}_ZONE_{zone} and will be used if the target is not specified. If other than the default target is used, all settings except interface and source are ignored, because the first rule created in firewall for this zone is 'jump to target'. short Is an optional start and end tag and is used to give a zone a more readable name. description Is an optional start and end tag to have a description for a zone. interface Is an optional empty-element tag and can be used several times. It can be used to bind an interface to a zone. An interface entry has exactly one attribute: name="string" The name of the interface to be bound to the zone. source Is an optional empty-element tag and can be used several times. It can be used to bind a source address or source address range to a zone. A source entry has exactly one attribute: address="address[/mask]" The source to be bound to the zone. The source is either an IP address or a network IP address with a mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported. service Is an optional empty-element tag and can be used several times to have more than one service entry enabled. A service entry has exactly one attribute: name="string" The name of the service to be enabled. To get a list of valid service names firewall-cmd --list=services can be used. port Is an optional empty-element tag and can be used several times to have more than one port entry. All attributes of a port entry are mandatory: port="portid[-portid]" The port can either be a single port number portid or a port range portid-portid. protocol="tcp|udp" The protocol can either be tcp or udp. icmp-block Is an optional empty-element tag and can be used several times to have more than one icmp-block entry. Each icmp-block tag has exactly one mandatory attribute: name="string" The name of the Internet Control Message Protocol (ICMP) type to be blocked. To get a list of valid ICMP types firewall-cmd --list=icmptypes can be used. masquerade Is an optional empty-element tag. It can be used only once in a zone configuration and is not usable for IPv6. If it's present masquerading is enabled for the zone. If you want to enable masquerading, you should enable it in the zone bound to the external interface. forward-port Is an optional empty-element tag and can be used several times to have more than one port or packet forward entry. This is for IPv4 only. Use rich language rules for IPv6. There are mandatory and also optional attributes for forward ports: Mandatory attributes: The local port and protocol to be forwarded. port="portid[-portid]" The port can either be a single port number portid or a port range portid-portid. protocol="tcp|udp" The protocol can either be tcp or udp. Optional attributes: The destination of the forward. For local forwarding add to-port only. For remote forwarding add to-addr and use to-port optionally if the destination port on the destination machine should be different. to-port="portid[-portid]" The destination port or port range to forward to. If omitted, the value of the port= attribute will be used altogether with the to-addr attribute. to-addr="address" The destination IPv4 IP address. rule Is an optional element tag and can be used several times to have more than one rich language rule entry. The general rule structure: <rule [family="ipv4|ipv6"]/> [ <source address="address[/mask]" [invert="bool"]/> ] [ <destination address="address[/mask]" [invert="bool"]/> ] [ <service name="string"/> | <port port="portid[-portid]" protocol="tcp|udp"/> | <protocol value="protocol"/> | <icmp-block name="icmptype"/> | <masquerade/> | <forward-port port="portid[-portid]" protocol="tcp|udp" [to-port="portid[-portid]"] [to-addr="address"]/> ] [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ] [ <audit> [<limit value="rate/duration"/>] </audit> ] [ <accept/> | <reject [type="rejecttype"]/> | <drop/> ] </rule> Rule structure for source black or white listing: <rule [family="ipv4|ipv6"]/> <source address="address[/mask]" [family="bool"]/> [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ] [ <audit> [<limit value="rate/duration"/>] </audit> ] <accept/> | <reject [type="rejecttype"]/> | <drop/> </rule> For a full description on rich language rules, please have a look at firewalld.richlanguage(5). SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5) NOTES
firewalld home page at fedorahosted.org: http://fedorahosted.org/firewalld/ More documentation with examples: http://fedoraproject.org/wiki/FirewallD AUTHORS
Thomas Woerner <twoerner@redhat.com> Developer Jiri Popelka <jpopelka@redhat.com> Developer firewalld 0.3.9 FIREWALLD.ZONE(5)
All times are GMT -4. The time now is 09:09 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy