All,

I have a basic question on configuring a firewall on my RedHat 9.0 computer. Have used security configs and lokkit but could not succeed

What I want to do is the following:

* Allow 1 IP address on a certain port (incoming TCP/UDP traffic)
* Allow everybody on portrange 1024 - 2000 (incoming TCP/UDP)

How do I implement this? Hope somebody can help

Thanks!!

The rule format is..

iptables -I INPUT -s x.x.x.x -p tcp --dport port -j ACCEPT
iptables -I INPUT -p tcp --dport 1024:2000 -j ACCEPT

Have a look at this tutorial for all the options...

Using LOKKIT (cough, cough) will make a set of rules in /etc/sysconfig/iptables
Adding the rules above needs to be done after the LOKKIT rules are active, then do service iptables save to make them permanent.
iptables-save prints all active rules to the screen.

I second Peter's recommendation of that tutorial..read it 3 times before you try anything.

You should also be aware that LOKKIT is, um, *not well regarded*, and perhaps you would do better creating a rules script on your own. It might be a little intimidating at first but you will almost certainly end up with a better set of rules.

You should consider adding a rule that accepts packets bound to already-established sessions:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Peter, the rules you posted look good to Me, but I wonder if Beuzekom needs UDP also.

HTH

Jo thanks ... did loads of reading and got things working!

You are right- initially the syntax is a kind of strange but once you tried some thing it is really easy! I configured all specific ports and for the internal network I even do some mac checking :-) .... and whatever is not defined in the chain is dropped

$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

quote..

$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

I'd recommend you don't use the -s 0/0 -d 0/0 matches..
It's an unecessary use of processor time and there are some packets which won't match against an ip number.
If that rule is going to be last, change the chain POLICY to DROP instead and maybe add a logging line to see what has been dropped.