RedHat security

Pete Nesbitt pete at linux1.ca
Sat Dec 18 02:18:54 UTC 2004 

On December 15, 2004 12:53 pm, O'Neill, Donald (US - Deerfield) wrote:
> Larry,
>
> Why would you use iptables for internal servers? Iptables is a pain to
> learn and maintain. You are going to have to setup specific rules for
> DNS, HTTP, NTP, RHN and so on.. Use tcp_wrappers, the host.allow/deny
> are simpler context to learn.
>
> If you ignore the above advice, the first place to start is netstat -a.
> This will show the active connection state of the server. You'll need to
> look for services that are in the 'WAIT' state. This usually indicates
> that the service is having trouble communicating.
>
> These lines below will dump tcp connections into your /var/log/messages
> file for review..
>
> iptables -I INPUT -p TCP -j LOG
> iptables -I OUTPUT -p TCP -j LOG
>
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Larry D Sorensen
> Sent: Wednesday, December 15, 2004 1:48 PM
> To: redhat-list at redhat.com
> Subject: Re: RedHat security
>
> Is there a good reference somewhere on how to add iptable rules for
> someone who has never done it before?
> (I am talking step-by-step)
>
> Larry
>

Donald,
iptables and tcpwrappers are two different items. Ideally for many services, 
you can stack them filtering thru iptables, then tcpwrappers (and then maybe 
even pam). Not all services are tcpwrappers aware, so it is not as simple as 
just using one or the other.

In a trusted environment there is still good reason to use iptables and 
wrappers, depending on your paranoia level and how much time you have.

iptables is not that hard to learn and once you understand the way it works, 
you can do very creative and usefull things. I personally do not like the 
front ends because IMHO it makes it more difficult to learn the underlying 
technology and also not all systems you run into will have (the same) front 
end.

One problem with using the redhat-config-security utliliy is that it really 
masks the actual iptables rules being created and therefore is not a good 
learning tool but is good for setting up a workstation with little 
granularity.

maybe I'm just a [stuborn] pureist :-0

"man iptables" and www.netfilter.org would be good starting places for 
creating your own scripts to use as (or call from) an init script.
-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list