>>>>Thank you. How do I implement iptables rules without interfering with 
>>>>what the Security Level applet sets?
>>>Very simply, open up a terminal, su over to root.  Add the iptables
>>>rules tgat you want.  
>>>When you are finshed, service iptables save will make them permanent
>>Thank you. I am assuming that the Security Level applet adds its own 
>>iptables rules. Is this correct? So it would drop all inbound 
>>connections on all ports to start with, and allow in only the  the 
>>connections I permit through the applet.
>>If I'm right about the above, then I can just do what you say: just add 
>>the new iptables rules I'm interested in, enter 'service iptables save', 
>>and they become permanent. Am I still right?
>>Now suppose I screwed up and made a mistake. Can I change the rules I 
>>messed up?
>Essentially yes, system-config-secutitylevel works the same way. For
>example, If you were to add for Other ports: 445:tcp in the applet. It
>would add this to the chain:
>ACCEPT     tcp  --  anywhere             anywhere            tcp
>The same effect can be achieved by 
>iptables -A INPUT -p TCP -dport 445 -d -j ACCEPT
>and then service iptables save
>All of the available options are in man iptables, there are also some
>very helpful pages on the web
>Disclamer, I have not worked with iptables in a long time, feel free to
>correct my syntax
Here is what Security Level set for me when I permitted incoming http 
and ssh through the GUI applet:

[root at bobcp4 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Here is a list of all the iptables chains:

[root at bobcp4 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere            udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state 
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with 


now suppose I independently add a rule like this:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 
-s -j ACCEPT

the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, 
right after that REJECT.  So a datagram for port 3306 will traverse the 
chain, hit the REJECT, and get blown away without ever being inspected 
by the new rule appearing after the REJECT. 

Am I on the right track here?


Bob Cochran


