Enable Firewall, But Allow Specific Inbound Connections

micheal sundance at sundanceloki.com
Tue Feb 1 03:08:30 UTC 2005


On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
> micheal wrote:
> 
> >On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
> >
> >  
> >
> >>>>Thank you. How do I implement iptables rules without interfering with 
> >>>>what the Security Level applet sets?
> >>>>
> >>>>Bob
> >>>>
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>Very simply, open up a terminal, su over to root.  Add the iptables
> >>>rules tgat you want.  
> >>>
> >>>When you are finshed, service iptables save will make them permanent
> >>>
> >>>MC
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>Thank you. I am assuming that the Security Level applet adds its own 
> >>iptables rules. Is this correct? So it would drop all inbound 
> >>connections on all ports to start with, and allow in only the  the 
> >>connections I permit through the applet.
> >>
> >>If I'm right about the above, then I can just do what you say: just add 
> >>the new iptables rules I'm interested in, enter 'service iptables save', 
> >>and they become permanent. Am I still right?
> >>
> >>Now suppose I screwed up and made a mistake. Can I change the rules I 
> >>messed up?
> >>
> >>Thanks
> >>
> >>Bob
> >>
> >>    
> >>
> >
> >Essentially yes, system-config-secutitylevel works the same way. For
> >example, If you were to add for Other ports: 445:tcp in the applet. It
> >would add this to the chain:
> >
> >ACCEPT     tcp  --  anywhere             anywhere            tcp
> >dpt:microsoft-ds
> >
> >
> >The same effect can be achieved by 
> >iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
> >
> >and then service iptables save
> >
> >All of the available options are in man iptables, there are also some
> >very helpful pages on the web
> >
> >Disclamer, I have not worked with iptables in a long time, feel free to
> >correct my syntax
> >
> >MC
> >
> >
> >  
> >
> Here is what Security Level set for me when I permitted incoming http 
> and ssh through the GUI applet:
> 
> [root at bobcp4 ~]# cat /etc/sysconfig/iptables
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> ---------------------------------------------------------------------------------------------------------------------
> Here is a list of all the iptables chains:
> 
> [root at bobcp4 ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     ipv6-crypt--  anywhere             anywhere
> ACCEPT     ipv6-auth--  anywhere             anywhere
> ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
> ACCEPT     all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:https
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:ssh
> REJECT     all  --  anywhere             anywhere            reject-with 
> icmp-host-prohibited
> 
> -------------------------------------------------------------------------------------------------------------------------
> 
> now suppose I independently add a rule like this:
> 
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 
> -s 192.168.1.0/24 -j ACCEPT
> 
> the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, 
> right after that REJECT.  So a datagram for port 3306 will traverse the 
> chain, hit the REJECT, and get blown away without ever being inspected 
> by the new rule appearing after the REJECT. 
> 
> Am I on the right track here?
> 
> Thanks
> 
> Bob Cochran
> 
> 
> >
> >  
> >
> 

Looks like you got the basic idea, the reject is last so the effect is
unless i have earlier stated otherwise, reject it. 

Though you would want to use the iptables command rather then edit that
file. 

MC




More information about the users mailing list