Re: Enable Firewall, But Allow Specific Inbound Connections

[Robert L Cochran <cochranb speakeasy net>]

micheal wrote:

> On Mon, 2005-01-31 at 19:56 -0500, Robert L Cochran wrote:
>
>  
>
> > > > Thank you. How do I implement iptables rules without interfering with 
> > > > what the Security Level applet sets?
> > > >
> > > > Bob
> > > >
> > > >   
> > > >
> > > >        
> > > Very simply, open up a terminal, su over to root.  Add the iptables
> > > rules tgat you want.  
> > >
> > > When you are finshed, service iptables save will make them permanent
> > >
> > > MC
> > >
> > >
> > >
> > >      
> > Thank you. I am assuming that the Security Level applet adds its own 
> > iptables rules. Is this correct? So it would drop all inbound 
> > connections on all ports to start with, and allow in only the  the 
> > connections I permit through the applet.
> >
> > If I'm right about the above, then I can just do what you say: just add 
> > the new iptables rules I'm interested in, enter 'service iptables save', 
> > and they become permanent. Am I still right?
> >
> > Now suppose I screwed up and made a mistake. Can I change the rules I 
> > messed up?
> >
> > Thanks
> >
> > Bob
> >
> >    
>
> Essentially yes, system-config-secutitylevel works the same way. For
> example, If you were to add for Other ports: 445:tcp in the applet. It
> would add this to the chain:
>
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:microsoft-ds
>
>
> The same effect can be achieved by 
> iptables -A INPUT -p TCP -dport 445 -d 192.168.1.1 -j ACCEPT
>
> and then service iptables save
>
> All of the available options are in man iptables, there are also some
> very helpful pages on the web
>
> Disclamer, I have not worked with iptables in a long time, feel free to
> correct my syntax
>
> MC
>
>
>  
Here is what Security Level set for me when I permitted incoming http 
and ssh through the GUI applet:

[root bobcp4 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j 
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
---------------------------------------------------------------------------------------------------------------------
Here is a list of all the iptables chains:

[root bobcp4 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with 
icmp-host-prohibited

-------------------------------------------------------------------------------------------------------------------------

now suppose I independently add a rule like this:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 
-s 192.168.1.0/24 -j ACCEPT

the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, 
right after that REJECT.  So a datagram for port 3306 will traverse the 
chain, hit the REJECT, and get blown away without ever being inspected 
by the new rule appearing after the REJECT. 

Am I on the right track here?

Thanks

Bob Cochran


>