Enable Firewall, But Allow Specific Inbound Connections
Robert L Cochran
cochranb at speakeasy.net
Tue Feb 1 03:13:13 UTC 2005
Craig White wrote:
>On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
>
>
>
>>---------------------------------------------------------------------------------------------------------------------
>>Here is a list of all the iptables chains:
>>
>>[root at bobcp4 ~]# iptables -L
>>Chain INPUT (policy ACCEPT)
>>target prot opt source destination
>>RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>>Chain FORWARD (policy ACCEPT)
>>target prot opt source destination
>>RH-Firewall-1-INPUT all -- anywhere anywhere
>>
>>Chain OUTPUT (policy ACCEPT)
>>target prot opt source destination
>>
>>Chain RH-Firewall-1-INPUT (2 references)
>>target prot opt source destination
>>ACCEPT all -- anywhere anywhere
>>ACCEPT icmp -- anywhere anywhere icmp any
>>ACCEPT ipv6-crypt-- anywhere anywhere
>>ACCEPT ipv6-auth-- anywhere anywhere
>>ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
>>ACCEPT udp -- anywhere anywhere udp dpt:ipp
>>ACCEPT all -- anywhere anywhere state
>>RELATED,ESTABLISHED
>>ACCEPT tcp -- anywhere anywhere state NEW
>>tcp dpt:http
>>ACCEPT tcp -- anywhere anywhere state NEW
>>tcp dpt:https
>>ACCEPT tcp -- anywhere anywhere state NEW
>>tcp dpt:ssh
>>REJECT all -- anywhere anywhere reject-with
>>icmp-host-prohibited
>>
>>-------------------------------------------------------------------------------------------------------------------------
>>
>>now suppose I independently add a rule like this:
>>
>>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306
>>-s 192.168.1.0/24 -j ACCEPT
>>
>>the rule will be added to the bottom of the RH-Firewall -1-INPUT chain,
>>right after that REJECT. So a datagram for port 3306 will traverse the
>>chain, hit the REJECT, and get blown away without ever being inspected
>>by the new rule appearing after the REJECT.
>>
>>Am I on the right track here?
>>
>>
>----
>why don't you try it?
>and then
>service iptables save
>service iptables restart
>iptables -L
>and see what happens then?
>
>Craig
>
>
>
I tried this in steps. I added the new rule. At first I didn't do the
'service iptables save' or 'service iptables restart'. The new rule
appends to the existing chain and I still could not connect to the
server (as expected).
Then I did a 'service iptables save' which saved the firewall rules, in
the order shown by 'iptables -L', to file /etc/sysconfig/iptables. This
was unacceptable because it the saved rules would later be added to the
chain in the wrong order.
Then I manually edited /etc/sysconfig/iptables and moved the new ACCEPT
rule before the final REJECT rule. I did a 'service iptables restart'
and listed the chain out. That was better -- the rule was in the right
place. And the connection attempt from a different host succeeded, too.
Thanks, this has got me started in the direction I need.
Bob
More information about the users
mailing list