Help an IPTABLES neophyte please

Karl Pearson karlp at ourldsfamily.com
Mon May 12 16:33:21 UTC 2008 

On Fri, May 9, 2008 5:01 pm, Rick Stevens wrote:
> Paul Campbell wrote:
>> Question for clarification on
>> REDHAT iptables vs iptables
>>
>> It seems that there is something that translates an
>> "abbreviated" iptables command-line and processes it.
>>
>> WHY ? The cmd line differences seem trivial.
>> eg.
>>  > iptables -A INPUT -i lo -j ACCEPT
>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>
> Ok, you're getting confused.  The first one you have is the actual
> command used to ADD a rule to the iptables ruleset.  It consists of the
> command "iptables" followed by the appropriate parameters:
>
> 	"-A INPUT" means "append to end of the INPUT chain".  Note that
> 	"-I" would try to insert the rule between two existing rules
> 	in the chain.  E.g. "-I INPUT 12" would mean to insert THIS
> 	rule BEFORE rule 12 in the INPUT chain.
>
> 	"-i lo" means "this refers to packets coming IN on the lo
> 	(loopback) interface
>
> 	"-j ACCEPT" means to jump to the ACCEPT result, accepting the
> 	packet
>
> The second line is an example of what's kept in /etc/sysconfig/iptables.
> It consists of the same command parameters, but not the "iptables"
> command itself.  When the system boots, it runs a command:
>
> 	/sbin/iptables-restore </etc/sysconfig/iptables
>
> which reads the contents of /etc/sysconfig/iptables and essentially
> feeds each line, one at a time, to the iptables command.  Conversely,
> you can run
>
> 	/sbin/iptables-save >/path/to/some/file
>
> which would save the EXISTING iptables rules to the file
> "/path/to/some/file" in exactly the same format as found in
> /etc/sysconfig/iptables.
>
> Most people find it easier to edit the /etc/sysconfig/iptables file to
> insert rules between existing rules, then running
>
> 	service iptables restart
>
>   to make them effective instead of running "iptables -L -n
> --line-numbers" to get appropriate rule numbers and then using "iptables
> -I" commands to insert the rules between existing rules.
>
> Also note that the system used to do
>
> 	/sbin/iptables-save >/etc/sysconfig/iptables
>
> when it shut down to save any rules inserted via the "iptables" command
> directly so they'd reinserted at the next boot.  I'm not sure that
> happens anymore, but it used to.

Check /etc/sysconfig/iptable-config and you'll find a parameter that allows
saving on stop that defaults to no:

IPTABLES_SAVE_ON_STOP="no"

HTH  Karl

>
> Now, as to the "-A RH-Firewall-1-INPUT" versus the "-A INPUT" bit,
> you can create separate rulesets and name them however you want.
>
> system-config-securitylevel (which is run by the system installer)
> creates a separate INPUT ruleset, called "RH-Firewall-1-INPUT" and
> sticks its rules in it.  Any rules set up by system-config-securitylevel
> (at any time, not just at system installation) get stuffed into that
> ruleset.
>
> The first rule that gets inserted into /etc/sysconfig/iptables by the
> system installer is
>
> 	-A INPUT -j RH-Firewall-1-INPUT
>
> which causes the INPUT chain to unconditionally jump to the
> "RH-Firewall-1-INPUT" ruleset.   In my opinion, it's kinda silly.  I
> suppose you could insert rules for the INPUT chain BEFORE the rule above
> that effect what you want to do, and leave the Red Hat ruleset alone.
>
> I generally find Red Hat's rules too simplistic for my uses, so I
> generally chuck their entire ruleset and just use my own in the normal
> "INPUT" chain.  If I find I need to do something extra-special, then I
> may create a separate ruleset, but I virtually NEVER jump to it
> unconditionally...I usually have some criteria in the rule that has to
> be met to jump to my special set.
>
> Hope that explains it.  :-)
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                       rps2 at nerd.com -
> - Hosting Consulting, Inc.                                           -
> -                                                                    -
> -  Memory is the second thing to go, but I can't remember the first! -
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>


-- 
Karl L. Pearson
karlp at ourldsfamily.com
http://consulting.ourldsfamily.com
---
 My Thoughts on Terrorism In America right after 9/11/2001:
 http://www.ourldsfamily.com/wtc.shtml
---
 The world is a dangerous place to live... not because of
 the people who are evil, but because of the people who
 don't do anything about it.
 - Albert Einstein
---
"To mess up your Linux PC, you have to really work at it;
 to mess up a microsoft PC you just have to work on it."
---

More information about the Redhat-install-list mailing list