Enable Firewall, But Allow Specific Inbound Connections

Robert L Cochran cochranb at speakeasy.net
Tue Feb 1 03:13:13 UTC 2005 

Craig White wrote:

>On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
>
>  
>
>>---------------------------------------------------------------------------------------------------------------------
>>Here is a list of all the iptables chains:
>>
>>[root at bobcp4 ~]# iptables -L
>>Chain INPUT (policy ACCEPT)
>>target     prot opt source               destination
>>RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>
>>Chain FORWARD (policy ACCEPT)
>>target     prot opt source               destination
>>RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>>
>>Chain OUTPUT (policy ACCEPT)
>>target     prot opt source               destination
>>
>>Chain RH-Firewall-1-INPUT (2 references)
>>target     prot opt source               destination
>>ACCEPT     all  --  anywhere             anywhere
>>ACCEPT     icmp --  anywhere             anywhere            icmp any
>>ACCEPT     ipv6-crypt--  anywhere             anywhere
>>ACCEPT     ipv6-auth--  anywhere             anywhere
>>ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
>>ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
>>ACCEPT     all  --  anywhere             anywhere            state 
>>RELATED,ESTABLISHED
>>ACCEPT     tcp  --  anywhere             anywhere            state NEW 
>>tcp dpt:http
>>ACCEPT     tcp  --  anywhere             anywhere            state NEW 
>>tcp dpt:https
>>ACCEPT     tcp  --  anywhere             anywhere            state NEW 
>>tcp dpt:ssh
>>REJECT     all  --  anywhere             anywhere            reject-with 
>>icmp-host-prohibited
>>
>>-------------------------------------------------------------------------------------------------------------------------
>>
>>now suppose I independently add a rule like this:
>>
>>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 
>>-s 192.168.1.0/24 -j ACCEPT
>>
>>the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, 
>>right after that REJECT.  So a datagram for port 3306 will traverse the 
>>chain, hit the REJECT, and get blown away without ever being inspected 
>>by the new rule appearing after the REJECT. 
>>
>>Am I on the right track here?
>>    
>>
>----
>why don't you try it?
>and then
>service iptables save
>service iptables restart
>iptables -L
>and see what happens then?
>
>Craig
>
>  
>
I tried this in steps. I added the new rule. At first I didn't do the 
'service iptables save' or 'service iptables restart'. The new rule 
appends to the existing chain and I still could not connect to the 
server (as expected).

Then I did a 'service iptables save' which saved the firewall rules, in 
the order shown by 'iptables -L', to file /etc/sysconfig/iptables. This 
was unacceptable because it the saved rules would later be added to the 
chain in the wrong order.

Then I manually edited /etc/sysconfig/iptables and moved the new ACCEPT 
rule before the final REJECT rule. I did a 'service iptables restart' 
and listed the chain out. That was better -- the rule was in the right 
place. And the connection attempt from a different host succeeded, too.

Thanks, this has got me started in the direction I need.

Bob

More information about the users mailing list