micheal wrote:
Here is what Security Level set for me when I permitted incoming http and ssh through the GUI applet:On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
Thank you. I am assuming that the Security Level applet adds its own iptables rules. Is this correct? So it would drop all inbound connections on all ports to start with, and allow in only the the connections I permit through the applet.Thank you. How do I implement iptables rules without interfering with what the Security Level applet sets?Very simply, open up a terminal, su over to root. Add the iptables
Bob
rules tgat you want.
When you are finshed, service iptables save will make them permanent
MC
If I'm right about the above, then I can just do what you say: just add the new iptables rules I'm interested in, enter 'service iptables save', and they become permanent. Am I still right?
Now suppose I screwed up and made a mistake. Can I change the rules I messed up?
Thanks
Bob
Essentially yes, system-config-secutitylevel works the same way. For example, If you were to add for Other ports: 445:tcp in the applet. It would add this to the chain:
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
The same effect can be achieved by iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
and then service iptables save
All of the available options are in man iptables, there are also some very helpful pages on the web
Disclamer, I have not worked with iptables in a long time, feel free to correct my syntax
MC
[root@bobcp4 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
---------------------------------------------------------------------------------------------------------------------
Here is a list of all the iptables chains:
[root@bobcp4 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
-------------------------------------------------------------------------------------------------------------------------
now suppose I independently add a rule like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -s 192.168.1.0/24 -j ACCEPT
the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, right after that REJECT. So a datagram for port 3306 will traverse the chain, hit the REJECT, and get blown away without ever being inspected by the new rule appearing after the REJECT.
Am I on the right track here?
Thanks
Bob Cochran
