Re: Enable Firewall, But Allow Specific Inbound Connections

[Robert L Cochran <cochranb speakeasy net>]

Craig White wrote:

> On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
>
>  
>
> > ---------------------------------------------------------------------------------------------------------------------
> > Here is a list of all the iptables chains:
> >
> > [root bobcp4 ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain RH-Firewall-1-INPUT (2 references)
> > target     prot opt source               destination
> > ACCEPT     all  --  anywhere             anywhere
> > ACCEPT     icmp --  anywhere             anywhere            icmp any
> > ACCEPT     ipv6-crypt--  anywhere             anywhere
> > ACCEPT     ipv6-auth--  anywhere             anywhere
> > ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
> > ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
> > ACCEPT     all  --  anywhere             anywhere            state 
> > RELATED,ESTABLISHED
> > ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> > tcp dpt:http
> > ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> > tcp dpt:https
> > ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> > tcp dpt:ssh
> > REJECT     all  --  anywhere             anywhere            reject-with 
> > icmp-host-prohibited
> >
> > -------------------------------------------------------------------------------------------------------------------------
> >
> > now suppose I independently add a rule like this:
> >
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 
> > -s 192.168.1.0/24 -j ACCEPT
> >
> > the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, 
> > right after that REJECT.  So a datagram for port 3306 will traverse the 
> > chain, hit the REJECT, and get blown away without ever being inspected 
> > by the new rule appearing after the REJECT. 
> >
> > Am I on the right track here?
> >    
> ----
> why don't you try it?
> and then
> service iptables save
> service iptables restart
> iptables -L
> and see what happens then?
>
> Craig
>
>  
I tried this in steps. I added the new rule. At first I didn't do the 
'service iptables save' or 'service iptables restart'. The new rule 
appends to the existing chain and I still could not connect to the 
server (as expected).

Then I did a 'service iptables save' which saved the firewall rules, in 
the order shown by 'iptables -L', to file /etc/sysconfig/iptables. This 
was unacceptable because it the saved rules would later be added to the 
chain in the wrong order.

Then I manually edited /etc/sysconfig/iptables and moved the new ACCEPT 
rule before the final REJECT rule. I did a 'service iptables restart' 
and listed the chain out. That was better -- the rule was in the right 
place. And the connection attempt from a different host succeeded, too.

Thanks, this has got me started in the direction I need.

Bob