Hi,

I currently have some ports on my computer that I use for very specific data acquisition / transfer. The IP address of the computer doing that handshaking is changing. My current /etc/sysconfig/iptables file looks like this.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25144:25145 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1980:1982 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15150 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15155 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15225 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

The ports of interest are 15150,15155,and 15225. While preparing for the new network, I tried probing through another computer to see if anyone on the local network could access those ports. What I ended up with was that nmap said the tcp ports are open, but the UDP ports were filtered/open. When I tried to handshake across these ports, it was unsuccessful.

Any insight that could be provided would be fantastic.

Also, I should add that since the network switchover is currently occuring (it's a remote machine) that I cannot access it to check anything. But any suggestions for when the network is back up would be great.

For an explanation of how nmap scans udp ports, see the nmap(1) manpages -- specifically, the -sU option.

This appears to be your problem (question?), but I'm unsure what you are asking. Were you expecting your connection attempt to be successful? What exactly did you try, and how did it fail? How are you trying to initiate a handshake with a stateless protocol (udp), BTW?

I guess I didn't state my problem very clearly. Currently, there is a control computer that takes packets from the computer I described above on three udp ports (this computer is in turn connected to my scientfic instruments). I was probably mis-using the word handshaking above (I'm new to all of this networking admin stuff, and am pretty confused by the online tutorials I've found). Currently the setup somehow allows this computer to access those ports (if you do an iptables -L, the -p 50 & -p 51 lines change to the name of that control computer).

For my new setup, there is going to be a dual ethernet connection with 2 different static ips. I need the new control computer to be able to access the same ports, but I also need to specify which port acts on which ethernet connection.

I was expecting my previous connection attempt to be successful because I couldn't find anything that specified the control computer as the only one with access.

My question is, where in the setup is the appropriate place to make these changes, and maybe you could point me to a straightforward reference on these topics?

At RHEL4 or 5 installation time, the firewall rules can be configured. Afterwards you can use system-config-securitylevel.

I personally don't do either, though. I write an iptables script that I manage in the same place on each server. For a netfilter/iptables tutorial, check out: http://iptables-tutorial.frozentux.n...-tutorial.html

As for these three rules:
There is nothing in them that explicitly allows packets in from a particular source host or subnet. It should be allowing in all udp traffic to ports 15150, 15155, 15225. If that's not what is happening in reality, then check whatever application sits behind them to see if it has access control lists enabled in its configuration.

Also, for the sake of eliminating possibilities, shut off iptables entirely (service iptables stop) and then see if the connection works as you'd expect.

Finally, be sure to confirm that there are actually services listening on those udp service ports: netstat -lun | egrep '15150|15155|15225'

Hope that helps. If I'm still misunderstanding your question, then please try again in plain English (i.e. lose any tech lingo and extraneous info you're tempted to include ).

Ok, I understand what you've written above, and I was able to communicate with the control computer (I still don't know why this wasn't possible from the test computer).

Now, I need to configure so that ports 15155 & 15150 communicate on eth1, while 15225 communicates on eth0. I think this is again something to do in iptables, but I'm getting lost in all the options of your suggested tutorial.

As an additional (and comprehensive) reference, also see the iptables(8) manpages.

Your rules should then look something like:
But don't deploy those rule changes until you understand what they're doing. (Again, the manpages may be of assistance here. Also cruise the 'net for iptables example rulesets.)

Do I also need to specify

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 15150 -o eth1 -j ACCEPT

so that outgoing packets from port 15150 will travel only on eth1 as well?

Thanks so much, I think I'm starting to understand.

You shouldn't need to specify any additional rules for outbound traffic. This rule...

... handles stateful connections. Even udp (which is stateless) is tracked and accommodated through this rule, AFAIK.

As long as eth0 and eth1 are on different subnets, you should get the behavior you're expecting with what we already discussed.

Thanks, that did it.