Enable Firewall, But Allow Specific Inbound Connections

Robert L Cochran cochranb at speakeasy.net
Tue Feb 1 01:52:13 UTC 2005 

micheal wrote:

>On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
>
>  
>
>>>>Thank you. How do I implement iptables rules without interfering with 
>>>>what the Security Level applet sets?
>>>>
>>>>Bob
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>Very simply, open up a terminal, su over to root.  Add the iptables
>>>rules tgat you want.  
>>>
>>>When you are finshed, service iptables save will make them permanent
>>>
>>>MC
>>>
>>> 
>>>
>>>      
>>>
>>Thank you. I am assuming that the Security Level applet adds its own 
>>iptables rules. Is this correct? So it would drop all inbound 
>>connections on all ports to start with, and allow in only the  the 
>>connections I permit through the applet.
>>
>>If I'm right about the above, then I can just do what you say: just add 
>>the new iptables rules I'm interested in, enter 'service iptables save', 
>>and they become permanent. Am I still right?
>>
>>Now suppose I screwed up and made a mistake. Can I change the rules I 
>>messed up?
>>
>>Thanks
>>
>>Bob
>>
>>    
>>
>
>Essentially yes, system-config-secutitylevel works the same way. For
>example, If you were to add for Other ports: 445:tcp in the applet. It
>would add this to the chain:
>
>ACCEPT     tcp  --  anywhere             anywhere            tcp
>dpt:microsoft-ds
>
>
>The same effect can be achieved by 
>iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
>
>and then service iptables save
>
>All of the available options are in man iptables, there are also some
>very helpful pages on the web
>
>Disclamer, I have not worked with iptables in a long time, feel free to
>correct my syntax
>
>MC
>
>
>  
>
Here is what Security Level set for me when I permitted incoming http 
and ssh through the GUI applet:

[root at bobcp4 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
---------------------------------------------------------------------------------------------------------------------
Here is a list of all the iptables chains:

[root at bobcp4 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with 
icmp-host-prohibited

-------------------------------------------------------------------------------------------------------------------------

now suppose I independently add a rule like this:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 
-s 192.168.1.0/24 -j ACCEPT

the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, 
right after that REJECT.  So a datagram for port 3306 will traverse the 
chain, hit the REJECT, and get blown away without ever being inspected 
by the new rule appearing after the REJECT. 

Am I on the right track here?

Thanks

Bob Cochran


>
>  
>

More information about the fedora-list mailing list