Basic Iptables issue

Support for security such as Firewalls and securing linux
Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Basic Iptables issue

Post by Firebar » 2007/04/25 14:46:59

Hi all,

I'm creating a clean IPtables configuration on my Centos 4.4 server. I flushed the rules then removed the RH-Firewall-X INPUT reference chain. So now I just have the 3 defaults, INPUT, OUTPUT and FORWARD.

Looks something like this;

[img]http://www.zen103935.zen.co.uk/test.jpg[/img]

My OUTPUT rule works fine, but none of my input rules do. I've saved and restart iptables.
Any idea why my INPUT rules arent working? Is it because I deleted that RH-Firewall-INPUT-1 reference chain?

Any help would be appreciated.

User avatar
WhatsHisName
Posts: 1544
Joined: 2005/12/19 20:21:43
Location: /earth/usa/nj

Re: Basic Iptables issue

Post by WhatsHisName » 2007/04/25 15:49:05

It’s hard to tell from your description what the problem is.

It may be that you do not understand how the /etc/init.d/iptables init script functions vs. how the /sbin/iptables, /sbin/iptables-save and /sbin/iptables-restore utilities function.

If you don’t want to use the standard /etc/sysconfig/iptables configuration, but do want the iptables init script to load the rules on startup, then why don’t you start over like this:

[code]# #[b] WARNING: This is a nonstandard setup. Newbies reading this thread should stick with the standard configuration. [/b]
#
# /sbin/iptables -F
# /sbin/iptables -A FORWARD -j DROP
# /sbin/iptables -A OUTPUT -j ACCEPT
# /sbin/iptables -A INPUT -i lo -j ACCEPT
# /sbin/iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
# /sbin/iptables -A INPUT -p 50 -j ACCEPT
# /sbin/iptables -A INPUT -p 51 -j ACCEPT
# /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# # Followed by whatever custom rules you want
#
# /sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
#
# /etc/init.d/iptables save[/code]
Your rules will be saved in /etc/sysconfig/iptables and will be loaded on boot.


Please note that “/etc/init.d/iptables save” and “/sbin/iptables-save” do not accomplish the same thing.

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 15:57:11

Thanks for the reply.

I'm using the /etc/init.d/service iptables save/restart method.

Its very wierd to see everything working except the INPUT rules, which is what im confused about. Once I can at least get that part of the filtering working then I can build an iptables script.

User avatar
WhatsHisName
Posts: 1544
Joined: 2005/12/19 20:21:43
Location: /earth/usa/nj

Re: Basic Iptables issue

Post by WhatsHisName » 2007/04/25 16:17:54

Why do you want to build a custom init script when one is already provided?

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 16:22:32

Well, what I mean is that once all my rules that I want are in place using /sbin/iptables then I can do a save and leave it at that. Currently I'd just like INPUT filtering to work, seeing as it doesnt.

On an off note, I ran system-config-securitylevel and disabled/enabled the firewall. It then wrote its own iptables.config including the RH-Firewall-1-INPUT chain (which has 2 references?) and things work again.

edit - ok the RH-Firewall-1-INPUT is a reference to the FORWARD AND INPUT policy. Why would that be? Surely that then means that everything in that chain is also set to forwarded. I don't use this function, but still..

Thanks.

User avatar
WhatsHisName
Posts: 1544
Joined: 2005/12/19 20:21:43
Location: /earth/usa/nj

Re: Basic Iptables issue

Post by WhatsHisName » 2007/04/25 16:31:13

The easiest way to understand how RH-Firewall-1-INPUT is used is to open /etc/init.d/iptables and read the script. It is not equivalent to /sbin/iptables INPUT.

The RH-Firewall-1-INPUT reference in /etc/sysconfig/iptables can be changed to anything that has no system meaning (e.g., :%s/RH-Firewall-1-INPUT/MyRules/gc). I always shorten it to make /etc/sysconfig/iptables more readable.

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 16:44:33

RH-Firewall-1-INPUT isnt even listed in the /etc/init.d/iptables script.

I dont understand why it uses this extra chain? Why not just keep the default INPUT, OUTPUT and FORWARD? It seem as though this is stopping my default chains from working correctly, at least the INPUT one.

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 16:48:03

Below are my chains after flushing, and after inserting a couple of rules;

[img]http://www.zen103935.zen.co.uk/test2.JPG[/img]

If I chance the default policy of the INPUT chain to DROP then nothing works, I would have thought my 2 rules in RH-Firewall-1-INPUT chain may have worked but as you can see the referencing has gone.

what I dont understand is why I cannot simply remove the RH-Firewall-1-INPUT chain and use the default 3 chains.

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 16:53:29

Now if I make my chains look like this;

[img]http://www.zen103935.zen.co.uk/test3.JPG[/img]

Then I would have presumed that http port 80 would be open, this isnt the case though. I can't access it.

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: Basic Iptables issue

Post by michaelnel » 2007/04/25 16:55:58

Looks to me like you don't have iptables chkconfigged on.

# chkconfig iptables on
# service iptables start

Post Reply

Return to “CentOS 4 - Security Support”