Basic Iptables issue

Support for security such as Firewalls and securing linux
Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 16:57:06

iptables is definately running & chkconfigged too.

User avatar
WhatsHisName
Posts: 1544
Joined: 2005/12/19 20:21:43
Location: /earth/usa/nj

Re: Basic Iptables issue

Post by WhatsHisName » 2007/04/25 16:58:58

[quote]RH-Firewall-1-INPUT isnt even listed in the /etc/init.d/iptables script.[/quote]

[code]# cat /etc/sysconfig/iptables
#
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
...[/code]
You are correct, RH-Firewall-1-INPUT is read by the script from the last statement above and used as a reference label. The label in and of itself has no meaning and can be changed to whatever you want it to be.

I take it that you are more familiar with how iptables is managed in non-Redhat-based distros, such as Debian-based distros. Debian, for example, has no equivalent of /etc/init.d/iptables, unless you write the script yourself.

User avatar
WhatsHisName
Posts: 1544
Joined: 2005/12/19 20:21:43
Location: /earth/usa/nj

Re: Basic Iptables issue

Post by WhatsHisName » 2007/04/25 17:05:58

As a reference, this is the “standard” http line in /etc/sysconfig/iptables:

[code]-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT[/code]

And a fairly standard /etc/sysconfig/iptables would look like:

[code]# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MyRules - [0:0]
-A INPUT -j MyRules
-A FORWARD -j MyRules
-A MyRules -i lo -j ACCEPT
-A MyRules -p icmp --icmp-type any -j ACCEPT
-A MyRules -p 50 -j ACCEPT
-A MyRules -p 51 -j ACCEPT
-A MyRules -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A MyRules -p udp -m udp --dport 631 -j ACCEPT
-A MyRules -m state --state ESTABLISHED,RELATED -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A MyRules -j REJECT --reject-with icmp-host-prohibited
COMMIT[/code]

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 17:06:11

I'm new to iptables full stop, but the manpages are quite self explanatory and make it sound so easy! I just cant understand why my filtering isnt working once I drop to DROP policy-mode and then manually specify a rule to ACCEPT a connection.

Perhaps due to me being quite new to this I'm missing something, but from my point of view this seems relatively simply yet it just doesnt work :hammer: :-x

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 20:29:04

Well this is ridiculous, if I use system-config-securitylevel to open up a port, e.g; port 1234 its fine and it does actually open the port. If I manually make an iptable rule, it doesnt work - DESPITE BEING IDENTICAL!!

ARGGGHH

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: Basic Iptables issue

Post by michaelnel » 2007/04/25 21:53:04

I never use the utility, (except during initial install). I always just edit /etc/sysconfig/iptables and then "service iptables restart", and it always works.

So, I don't know what you are doing wrong, but the basic procedure of editing and restarting does work, if it's done correctly.

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 22:07:17

Editing the config file works! I just hadnt tried it as by running the /sbin/iptables commands and doing /etc/init.d/iptables save it was writing to that file - so I assumed it would be ok.

Thank you very much, I'll see how the rest of it goes from now on. Why the hell doesn't using the commandline work? annoying :-x

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: Basic Iptables issue

Post by michaelnel » 2007/04/25 22:11:30

Using the commandline DOES work. I don't usually do it that way, but I have, and it does work. You have to do it correctly though. I just find it easier to edit /etc/sysconfig/iptables and restart though.

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 22:15:53

How would you define correctly? I've passed in the EXACT options for identical rules which are known to work but to no avail.

edit - What I mean to say is; what command would you use to add in a ruleset to open port 1234 then save and restart iptables - and have it work.

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: Basic Iptables issue

Post by michaelnel » 2007/04/25 22:25:10

I wouldn't do it from the command line.

It's been so long since I did it that way I no longer remember the right way, and I am not interested in researching it.

But I assure you, if you learn the right way (I suggest the Novell Press book "Linux Firewalls Third Edition"), then it absolutely DOES work.

After all, the /etc/init.d/iptables script basically does it from the command line... it's just a script.

Post Reply

Return to “CentOS 4 - Security Support”