On Fedora Core 3, I want to enable the firewall, permitting inbound TCP connections from anywhere on port 80. I also want to allow inbound connections on port 3306 but only from hosts 192.168.1.1 and 192.168.1.2.
It looks like I can't do this from the Applications --> System Settings --> Security Level GUI. I can allow ports 80 and 3306, but it doesn't look like I can limit the port 3306 connections to just 2 specific hosts. I would have to craft an IPTABLES script. Am I right here, and if so, what would be the right way to add specific IPTABLES rules without interfering with the Security Level applet?
Thanks
Bob Cochran Greenbelt, Maryland, USA
On Sat, 2005-01-29 at 20:32 -0500, Robert L Cochran wrote:
On Fedora Core 3, I want to enable the firewall, permitting inbound TCP connections from anywhere on port 80. I also want to allow inbound connections on port 3306 but only from hosts 192.168.1.1 and 192.168.1.2.
It looks like I can't do this from the Applications --> System Settings --> Security Level GUI. I can allow ports 80 and 3306, but it doesn't look like I can limit the port 3306 connections to just 2 specific hosts. I would have to craft an IPTABLES script. Am I right here, and if so, what would be the right way to add specific IPTABLES rules without interfering with the Security Level applet?
Thanks
Bob Cochran Greenbelt, Maryland, USA
Best way, man iptables and lean how to build chains for what you need
Fast way, use your favorite Package Manager and install Firestarter.
MC
On Sat, 2005-01-29 at 20:32 -0500, Robert L Cochran wrote:
On Fedora Core 3, I want to enable the firewall, permitting inbound TCP connections from anywhere on port 80. I also want to allow inbound connections on port 3306 but only from hosts 192.168.1.1 and 192.168.1.2.
It looks like I can't do this from the Applications --> System Settings --> Security Level GUI. I can allow ports 80 and 3306, but it doesn't look like I can limit the port 3306 connections to just 2 specific hosts. I would have to craft an IPTABLES script. Am I right here, and if so, what would be the right way to add specific IPTABLES rules without interfering with the Security Level applet?
---- yeah - it's a very basic tool
If you want to start messing with iptables...it's not hard - I've always used David Ranch's trinity os think stuff
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/stronger- firewall-examples.html#RC.FIREWALL-2.4.X-STRONGER
but basically, you can simply add rules to that which you created with the system-config-securitylevel and the issue the command 'service iptables save' but that is mindless...if you ever run the system-config- securitylevel again, you will wipe out any custom stuff you added.
I think this is how you would do one of the lines... /sbin/iptables -A INPUT -i eth0 -s 192.168.1.1/32 -p tcp --dport 3306 -j ACCEPT
Craig
Robert L Cochran wrote:
On Fedora Core 3, I want to enable the firewall, permitting inbound TCP connections from anywhere on port 80. I also want to allow inbound connections on port 3306 but only from hosts 192.168.1.1 and 192.168.1.2.
It looks like I can't do this from the Applications --> System Settings --> Security Level GUI. I can allow ports 80 and 3306, but it doesn't look like I can limit the port 3306 connections to just 2 specific hosts. I would have to craft an IPTABLES script. Am I right here, and if so, what would be the right way to add specific IPTABLES rules without interfering with the Security Level applet?
Thanks
Bob Cochran Greenbelt, Maryland, USA
I (as the other posters) will recommend you to learn iptables, and if you want a very easy way to configure your firewall and build *quite* complex per-interface rule sets, I'd strongly recommend you take a look at fwbuilder (there are the packages for it in the pre-extras repo [http://fedoraproject.org/pre-extras])
Gain Paolo Mureddu wrote:
Robert L Cochran wrote:
On Fedora Core 3, I want to enable the firewall, permitting inbound TCP connections from anywhere on port 80. I also want to allow inbound connections on port 3306 but only from hosts 192.168.1.1 and 192.168.1.2.
It looks like I can't do this from the Applications --> System Settings --> Security Level GUI. I can allow ports 80 and 3306, but it doesn't look like I can limit the port 3306 connections to just 2 specific hosts. I would have to craft an IPTABLES script. Am I right here, and if so, what would be the right way to add specific IPTABLES rules without interfering with the Security Level applet?
Thanks
Bob Cochran Greenbelt, Maryland, USA
I (as the other posters) will recommend you to learn iptables, and if you want a very easy way to configure your firewall and build *quite* complex per-interface rule sets, I'd strongly recommend you take a look at fwbuilder (there are the packages for it in the pre-extras repo [http://fedoraproject.org/pre-extras])
Thank you. How do I implement iptables rules without interfering with what the Security Level applet sets?
Bob
On Sun, 2005-01-30 at 04:53 -0500, Robert L Cochran wrote:
Gain Paolo Mureddu wrote:
Robert L Cochran wrote:
On Fedora Core 3, I want to enable the firewall, permitting inbound TCP connections from anywhere on port 80. I also want to allow inbound connections on port 3306 but only from hosts 192.168.1.1 and 192.168.1.2.
It looks like I can't do this from the Applications --> System Settings --> Security Level GUI. I can allow ports 80 and 3306, but it doesn't look like I can limit the port 3306 connections to just 2 specific hosts. I would have to craft an IPTABLES script. Am I right here, and if so, what would be the right way to add specific IPTABLES rules without interfering with the Security Level applet?
Thanks
Bob Cochran Greenbelt, Maryland, USA
I (as the other posters) will recommend you to learn iptables, and if you want a very easy way to configure your firewall and build *quite* complex per-interface rule sets, I'd strongly recommend you take a look at fwbuilder (there are the packages for it in the pre-extras repo [http://fedoraproject.org/pre-extras])
Thank you. How do I implement iptables rules without interfering with what the Security Level applet sets?
Bob
Very simply, open up a terminal, su over to root. Add the iptables rules tgat you want.
When you are finshed, service iptables save will make them permanent
MC
micheal wrote:
On Sun, 2005-01-30 at 04:53 -0500, Robert L Cochran wrote:
Gain Paolo Mureddu wrote:
Robert L Cochran wrote:
On Fedora Core 3, I want to enable the firewall, permitting inbound TCP connections from anywhere on port 80. I also want to allow inbound connections on port 3306 but only from hosts 192.168.1.1 and 192.168.1.2.
It looks like I can't do this from the Applications --> System Settings --> Security Level GUI. I can allow ports 80 and 3306, but it doesn't look like I can limit the port 3306 connections to just 2 specific hosts. I would have to craft an IPTABLES script. Am I right here, and if so, what would be the right way to add specific IPTABLES rules without interfering with the Security Level applet?
Thanks
Bob Cochran Greenbelt, Maryland, USA
I (as the other posters) will recommend you to learn iptables, and if you want a very easy way to configure your firewall and build *quite* complex per-interface rule sets, I'd strongly recommend you take a look at fwbuilder (there are the packages for it in the pre-extras repo [http://fedoraproject.org/pre-extras])
Thank you. How do I implement iptables rules without interfering with what the Security Level applet sets?
Bob
Very simply, open up a terminal, su over to root. Add the iptables rules tgat you want.
When you are finshed, service iptables save will make them permanent
MC
Thank you. I am assuming that the Security Level applet adds its own iptables rules. Is this correct? So it would drop all inbound connections on all ports to start with, and allow in only the the connections I permit through the applet.
If I'm right about the above, then I can just do what you say: just add the new iptables rules I'm interested in, enter 'service iptables save', and they become permanent. Am I still right?
Now suppose I screwed up and made a mistake. Can I change the rules I messed up?
Thanks
Bob
On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
Thank you. How do I implement iptables rules without interfering with what the Security Level applet sets?
Bob
Very simply, open up a terminal, su over to root. Add the iptables rules tgat you want.
When you are finshed, service iptables save will make them permanent
MC
Thank you. I am assuming that the Security Level applet adds its own iptables rules. Is this correct? So it would drop all inbound connections on all ports to start with, and allow in only the the connections I permit through the applet.
If I'm right about the above, then I can just do what you say: just add the new iptables rules I'm interested in, enter 'service iptables save', and they become permanent. Am I still right?
Now suppose I screwed up and made a mistake. Can I change the rules I messed up?
Thanks
Bob
Essentially yes, system-config-secutitylevel works the same way. For example, If you were to add for Other ports: 445:tcp in the applet. It would add this to the chain:
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
The same effect can be achieved by iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
and then service iptables save
All of the available options are in man iptables, there are also some very helpful pages on the web
Disclamer, I have not worked with iptables in a long time, feel free to correct my syntax
MC
micheal wrote:
On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
Thank you. How do I implement iptables rules without interfering with what the Security Level applet sets?
Bob
Very simply, open up a terminal, su over to root. Add the iptables rules tgat you want.
When you are finshed, service iptables save will make them permanent
MC
Thank you. I am assuming that the Security Level applet adds its own iptables rules. Is this correct? So it would drop all inbound connections on all ports to start with, and allow in only the the connections I permit through the applet.
If I'm right about the above, then I can just do what you say: just add the new iptables rules I'm interested in, enter 'service iptables save', and they become permanent. Am I still right?
Now suppose I screwed up and made a mistake. Can I change the rules I messed up?
Thanks
Bob
Essentially yes, system-config-secutitylevel works the same way. For example, If you were to add for Other ports: 445:tcp in the applet. It would add this to the chain:
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
The same effect can be achieved by iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
and then service iptables save
All of the available options are in man iptables, there are also some very helpful pages on the web
Disclamer, I have not worked with iptables in a long time, feel free to correct my syntax
MC
Here is what Security Level set for me when I permitted incoming http and ssh through the GUI applet:
[root@bobcp4 ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT --------------------------------------------------------------------------------------------------------------------- Here is a list of all the iptables chains:
[root@bobcp4 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
-------------------------------------------------------------------------------------------------------------------------
now suppose I independently add a rule like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -s 192.168.1.0/24 -j ACCEPT
the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, right after that REJECT. So a datagram for port 3306 will traverse the chain, hit the REJECT, and get blown away without ever being inspected by the new rule appearing after the REJECT.
Am I on the right track here?
Thanks
Bob Cochran
On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
Here is a list of all the iptables chains:
[root@bobcp4 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
now suppose I independently add a rule like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -s 192.168.1.0/24 -j ACCEPT
the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, right after that REJECT. So a datagram for port 3306 will traverse the chain, hit the REJECT, and get blown away without ever being inspected by the new rule appearing after the REJECT.
Am I on the right track here?
---- why don't you try it? and then service iptables save service iptables restart iptables -L and see what happens then?
Craig
On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
micheal wrote:
On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
Thank you. How do I implement iptables rules without interfering with what the Security Level applet sets?
Bob
Very simply, open up a terminal, su over to root. Add the iptables rules tgat you want.
When you are finshed, service iptables save will make them permanent
MC
Thank you. I am assuming that the Security Level applet adds its own iptables rules. Is this correct? So it would drop all inbound connections on all ports to start with, and allow in only the the connections I permit through the applet.
If I'm right about the above, then I can just do what you say: just add the new iptables rules I'm interested in, enter 'service iptables save', and they become permanent. Am I still right?
Now suppose I screwed up and made a mistake. Can I change the rules I messed up?
Thanks
Bob
Essentially yes, system-config-secutitylevel works the same way. For example, If you were to add for Other ports: 445:tcp in the applet. It would add this to the chain:
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
The same effect can be achieved by iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
and then service iptables save
All of the available options are in man iptables, there are also some very helpful pages on the web
Disclamer, I have not worked with iptables in a long time, feel free to correct my syntax
MC
Here is what Security Level set for me when I permitted incoming http and ssh through the GUI applet:
[root@bobcp4 ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Here is a list of all the iptables chains:
[root@bobcp4 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
now suppose I independently add a rule like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -s 192.168.1.0/24 -j ACCEPT
the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, right after that REJECT. So a datagram for port 3306 will traverse the chain, hit the REJECT, and get blown away without ever being inspected by the new rule appearing after the REJECT.
Am I on the right track here?
Thanks
Bob Cochran
Looks like you got the basic idea, the reject is last so the effect is unless i have earlier stated otherwise, reject it.
Though you would want to use the iptables command rather then edit that file.
MC
Craig White wrote:
On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
Here is a list of all the iptables chains:
[root@bobcp4 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
now suppose I independently add a rule like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -s 192.168.1.0/24 -j ACCEPT
the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, right after that REJECT. So a datagram for port 3306 will traverse the chain, hit the REJECT, and get blown away without ever being inspected by the new rule appearing after the REJECT.
Am I on the right track here?
why don't you try it? and then service iptables save service iptables restart iptables -L and see what happens then?
Craig
I tried this in steps. I added the new rule. At first I didn't do the 'service iptables save' or 'service iptables restart'. The new rule appends to the existing chain and I still could not connect to the server (as expected).
Then I did a 'service iptables save' which saved the firewall rules, in the order shown by 'iptables -L', to file /etc/sysconfig/iptables. This was unacceptable because it the saved rules would later be added to the chain in the wrong order.
Then I manually edited /etc/sysconfig/iptables and moved the new ACCEPT rule before the final REJECT rule. I did a 'service iptables restart' and listed the chain out. That was better -- the rule was in the right place. And the connection attempt from a different host succeeded, too.
Thanks, this has got me started in the direction I need.
Bob
You can also use webmin to create iptables chains, if you'd prefer a more GUI/web form type interface.