Why doesn't redhat-config-securitylevel's iptables rules work?
I don't know. I've never used the GUI.
If I turn off EVERYTHING (www, ftp, ssh, etc) and save, and even
manually restart iptables (# /sbin/service iptables restart) other
computers on my network can access www (even on weird, non-standard
ports with http servers on them) ftp, ssh, etc.
What are the contents of /etc/sysconfig/iptables?
So whats the point of even including that tool if it doesn't do
anything? I dont understand how it just flat out doesn't work. I have no
idea how iptables works, and because there's no documentation out there
for beginners who just want a script that's for eth0 with a simple www,
ssh and ftp server(s), Im stuck using rh's tools, which don't do
anything. there's no security here.
For www and ssh, the standard starting config looks like:
# Firewall configuration written by redhat-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
ftp can be a little trickier, due to the control and data split, but
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
should be sufficient if the RELATED filter is working properly. (place this rule above the one for ssh (port 22).
