Hello, everyone. This is actually a renewal of an older thread (
http://www.linuxquestions.org/questi...5&pagenumber=1)
I'm posting it again here in hopes that someone might see it and be able to help me.
Here's the story so far: I am trying to run a streaming server called Shoutcast. This streaming server requires that ports 8000 and 8001 be open for my relay. 8001 listens for the incoming source, from the studio, as it were, while 8000 streams the source material out to listeners.
However, everytime I try to stream, the server sends me a message saying I am behind a firewall.
I have tried everything to try to disable this firewall, or to open the ports. You can see what I've done in the original thread.
Finally, chort, a moderator for this forum, has suggested that the culprit is the Lokkit configuration, which is keeping me from controlling my firewall.
Here's my Lokkit file, followed by chort's comments:
ERROR - You must be root to run lokkit.
ERROR - only one of 'high', 'medium', and 'disabled' may be specified.
/sbin/iptables -D INPUT -j RH-Lokkit-0-50-INPUT 2>/dev/null /sbin/iptables -D FORWARD -j RH-Lokkit-0-50-INPUT 2>/dev/null /sbin/iptables -F RH-Lokkit-0-50-INPUT 2>/dev/null /sbin/iptables -X RH-Lokkit-0-50-INPUT 2>/dev/null /etc/resolv.conf nameserver w #!/bin/sh
PATH=/sbin:$PATH
iptables /bin/sh %s COMMIT
--syn *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
iptables -N RH-Lokkit-0-50-INPUT
iptables -F RH-Lokkit-0-50-INPUT
%s-A RH-Lokkit-0-50-INPUT -p %s -m %s --dport %d %s -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -i %s -j ACCEPT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
/sbin/modprobe iptables >/dev/null 2>&1 /sbin/service iptables start >/dev/null 2>&1 %s-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
%s-A RH-Lokkit-0-50-INPUT -p udp -m udp -s %s --sport 53 -d 0/0 -j ACCEPT
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
/sbin/iptables -F RH-Lokkit-0-50-INPUT
And chort's reaction:
Quote:
Tsk, tsk. That is just aweful. Someone in Red Hat's security department should be spanked.
Could someone please give this poor guy a working, stateful firewall configuration that doesn't have idiocies like only blocking certain port ranges and allowing anything with a source port of 53... I never did learn iptables (hated the syntax) or I would do it myself.
No NAT/masq needed, just a nice single interface firewall to deny all inbound (except ports 8000/tcp and 8001/tcp), and allow all outbound (tracking state). Come to think of it, better allow bootp and dhcp, too.
|
I need a firewall as chort described, with the following ports open for eventual streaming: 8000, 8001, but also 7995, 7996, 7998, and 7999 open for incoming, plus ssh inbound/outbound and FTP inbound/outbound.
Does anyone think this Lokkit file is NOT the culprit, or that this rewrite is not necessary? Please let me know. Please see the original thread for more information.
Thank you in advance.