firewall rules and iptables

Support for security such as Firewalls and securing linux
Post Reply
ipfreak
Posts: 18
Joined: 2015/12/30 16:53:29

firewall rules and iptables

Post by ipfreak » 2019/11/16 20:59:51

hello guys:

my understanding is that firewalld on centos and iptables are actually the same. where does this default rule sets come from? how could i change this almost "accept all" behavior? i checked /etc/sysconfig and the default file iptables-config is more like sample config.

[user@localhost ~]$ sudo iptables -L
[sudo] password for user:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
[user@localhost ~]$

User avatar
TrevorH
Forum Moderator
Posts: 27138
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewall rules and iptables

Post by TrevorH » 2019/11/16 21:13:21

No, firewalld and iptables are not the same thing. If you use firewalld then you cannot reliably use any iptables command which might change the rules. You can use it to inspect what is running but you cannot change it. When firewalld is running, it "knows" how the rules are and it thinks it controls them. If you change them, it will notice and back your change out.

However, from your rules it is apparent that you're not using firewalld as your list of rules is not approaching 200 lines long!

Your FORWARD rules look like those inserted by libvirtd and/or gnome-boxes. The rest look like they've been put there by hand as they don't resemble those set by a CentOS installed without firewalld either. Since your INPUT chain policy is ACCEPT, anything that isn't explicitly rejected or dropped is allowed and since you on;y have ACCEPT lines, everything is accepted and nothing is denied. You have no fireall at present.

The default rules set up by a non-firewalld install look like

Code: Select all

# Generated by xtables-save v1.8.2 on Sat Nov 16 21:12:20 2019
*filter
:INPUT DROP [1:48]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:1080]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 16 21:12:20 2019
Those will still allow ssh access on the default port but at least other things are not.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

ipfreak
Posts: 18
Joined: 2015/12/30 16:53:29

Re: firewall rules and iptables

Post by ipfreak » 2019/11/16 21:37:15

thanks trevor for clarifications.

i have not configured any rules from iptables, nor have i configured any other firewall rules for firewalld except opened one port. basically i installed centos 8 and started playing security first (trying to secure the server first). so i have no clues where those rules come from, especially this ip address range 192.168.122.0/24.

everything now under firewalld is default except one port opened (associated with selinux).

[user@localhost ~]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: cockpit dhcpv6-client ssh
ports: 6553/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

User avatar
jlehtone
Posts: 2431
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall rules and iptables

Post by jlehtone » 2019/11/17 11:23:32

ipfreak wrote:
2019/11/16 21:37:15
basically i installed centos 8 and
But, you posted to centos 7 forum. What have you, 7 or 8?

Kernel in 7 has netfilter. Userland tool 'iptables' interacts with netfilter. Services, like iptables.service and firewalld.service use the iptables to load rules.

Kernel in 8 has nftables. Userland tool 'nft' interacts with nftables. The firewalld.service uses the nft to load rules. There is tool 'iptables' in 8, but it is a mere wrapper for 'nft'. There is iptables.service too, which uses the iptables wrapper to update nftables.


The output of "iptables -L" lacks details. IMHO, "iptables -S" is much more informative (in centos 7).
ipfreak wrote:
2019/11/16 21:37:15
started playing security first (trying to secure the server first).
The default rules are rather secure. Your "play" (if the rules posted in OP are in effect) has moved from "ssh allowed" to "all open". Wrong direction.

Some of the environment groups (i.e. package selections in installer) do include virtualization, libvirtd. Libvirtd.service is set to start by default. Libvirtd is configured to create a virtual network "default". The 192.168.122.0/24 sounds like subnet of that network.

Post Reply

Return to “CentOS 7 - Security Support”