custom firewall configuration

A.Fadyushin at it-centre.ru A.Fadyushin at it-centre.ru
Fri Dec 30 14:16:12 UTC 2005


Usually it is better to edit the /etc/sysconfig/iptables manually rather
than add rules one by one via iptables command. For example, it is much
easier to reorder rules via editinf of the file. Of course, you should
restart the iptables service after each edit. When you are satisfied
with the results, issue the command 'service iptables save' - the file
/etc/sysconfig/iptables will be rewritten with the addition of
statistics information user by 'service iptables restore'.
I do not recommend to use the cron job which flushes iptables
periodically, especially when you are editing the rules one by one with
the 'iptables' command. Because such a process can be long enough the
cron job may flush the rules before you enter all changes of the rules
and save them. I think that the better way is to edit the file
/etc/sysconfig/iptables directly and simultaneously with reloading of
rules queue an 'at' job for the time of now + 1-2 minutes. For example:
service iptables restart ; echo "iptables -F; iptables -X" | at now+5
minutes
If you are satisfied with the results of new rules, you should remove at
job with 'atrm' command.

Alexey Fadyushin
Brainbench MVP for Linux.
http://www.brainbench.com

> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Greg Golin
> Sent: Thursday, December 29, 2005 10:36 PM
> To: General Red Hat Linux discussion list
> Subject: Re: custom firewall configuration
> 
> Romeo,
> 
> service iptables save
> 
> This shall save the custom rules you apply to /etc/sysconfig/iptables
> so that when iptables starts, it reads the new rules you have applied.
> I suggest adding a cron job that flushes the rules every five minutes
> for the duration of configuration just to make sure you're not locked
> out.
> 
> You can also look here for help:
> http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm
> 
> Regards,
> G
> 
> On 12/29/05, Romeo Theriault <romeotheriault at gmail.com> wrote:
> > The built-in RedHat firewall has been working good but it isn't
> > meeting our needs anymore. I would like to customize it to make it a
> > little more secure. What is the appropriate way to do this. Do I
just
> > turn it off and create my own init.d scripts? The /etc/sysconfig/
> > iptables files has a line about not recommending editing it? So what
> > is the recommended way of further editing the firewall?
> >
> > Thank you,
> >
> > Romeo Theriault
> >
> > --
> > redhat-list mailing list
> > unsubscribe
mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list




More information about the redhat-list mailing list