Enable Firewall, But Allow Specific Inbound Connections
Robert L Cochran
cochranb at speakeasy.net
Tue Feb 1 01:52:13 UTC 2005
micheal wrote:
>On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
>
>
>
>>>>Thank you. How do I implement iptables rules without interfering with
>>>>what the Security Level applet sets?
>>>>
>>>>Bob
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Very simply, open up a terminal, su over to root. Add the iptables
>>>rules tgat you want.
>>>
>>>When you are finshed, service iptables save will make them permanent
>>>
>>>MC
>>>
>>>
>>>
>>>
>>>
>>Thank you. I am assuming that the Security Level applet adds its own
>>iptables rules. Is this correct? So it would drop all inbound
>>connections on all ports to start with, and allow in only the the
>>connections I permit through the applet.
>>
>>If I'm right about the above, then I can just do what you say: just add
>>the new iptables rules I'm interested in, enter 'service iptables save',
>>and they become permanent. Am I still right?
>>
>>Now suppose I screwed up and made a mistake. Can I change the rules I
>>messed up?
>>
>>Thanks
>>
>>Bob
>>
>>
>>
>
>Essentially yes, system-config-secutitylevel works the same way. For
>example, If you were to add for Other ports: 445:tcp in the applet. It
>would add this to the chain:
>
>ACCEPT tcp -- anywhere anywhere tcp
>dpt:microsoft-ds
>
>
>The same effect can be achieved by
>iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
>
>and then service iptables save
>
>All of the available options are in man iptables, there are also some
>very helpful pages on the web
>
>Disclamer, I have not worked with iptables in a long time, feel free to
>correct my syntax
>
>MC
>
>
>
>
Here is what Security Level set for me when I permitted incoming http
and ssh through the GUI applet:
[root at bobcp4 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
---------------------------------------------------------------------------------------------------------------------
Here is a list of all the iptables chains:
[root at bobcp4 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
-------------------------------------------------------------------------------------------------------------------------
now suppose I independently add a rule like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306
-s 192.168.1.0/24 -j ACCEPT
the rule will be added to the bottom of the RH-Firewall -1-INPUT chain,
right after that REJECT. So a datagram for port 3306 will traverse the
chain, hit the REJECT, and get blown away without ever being inspected
by the new rule appearing after the REJECT.
Am I on the right track here?
Thanks
Bob Cochran
>
>
>
More information about the fedora-list
mailing list