IPTABLES doesn't work

Bevan C. Bennett bevan at fulcrummicro.com
Thu Jan 29 21:51:42 UTC 2004


smoothmilk wrote:
> Why doesn't redhat-config-securitylevel's iptables rules work?

I don't know. I've never used the GUI.

> If I turn off EVERYTHING (www, ftp, ssh, etc) and save, and even
> manually restart iptables (# /sbin/service iptables restart) other
> computers on my network can access www (even on weird, non-standard
> ports with http servers on them) ftp, ssh, etc. 

What are the contents of /etc/sysconfig/iptables?

> So whats the point of even including that tool if it doesn't do
> anything? I dont understand how it just flat out doesn't work. I have no
> idea how iptables works, and because there's no documentation out there
> for beginners who just want a script that's for eth0 with a simple www,
> ssh and ftp server(s), Im stuck using rh's tools, which don't do
> anything. there's no security here. 

For www and ssh, the standard starting config looks like:

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

ftp can be a little trickier, due to the control and data split, but
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
should be sufficient if the RELATED filter is working properly. (place 
this rule above the one for ssh (port 22).





More information about the fedora-list mailing list