Re: iptables example script for EPICS CA

[John William Sinclair <sinclairjw@ornl.gov>]

Here's a previous submission:

---------------------------------

Thanks to input from Jeff Hill, Ralph Lange, and Andrew Johnson I think that the
following is an accurate description of the firewall settings needed to support
channel access.

====================================================================
If you want channel access clients on a machine to be able to see beacons and
replies to broadcast PV search requests you need to permit inbound UDP packets
with source port EPICS_CA_SERVER_PORT (default is 5064) or destination port
EPICS_CA_REPEATER_PORT (default is 5065).  On systems using iptables this can be
accomplished by rules like
	-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
	-A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT

If you want channel access servers (e.g. "soft IOCs") on a machine to be able to
see clients you need to permit inbound TCP or UDP packets with source port
EPICS_CA_SERVER_PORT (default is 5064).  On systems using iptables this can be
accomplished by rules like
	-A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT
	-A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT

The above sets of rules are complete assuming that there's no blocking of
outbound traffic.

In all cases the "-s 192.168.0.0/22" specifies the range of addresses from which
you wish to accept packets.
====================================================================



On 06/29/2012 08:32 AM, Mark Rivers wrote:
> Folks,
>
> I am trying to help someone who is new to EPICS get it running on a Linux host that needs to run the iptables firewall.  He needs to run both a soft IOC and EPICS clients on this machine.  He's having trouble configuring the iptables firewall correctlly.  If he disables iptables things work fine, but with it enabled EPICS does not work.
>
> Can someone send an example of an iptables script that allows CA to run on the default ports of 5064 and 5065, UDP and TCP?
>
> Thanks,
> Mark