[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: iptables and kickstart

I think the easiest way to do this is just to configure
/etc/sysconfig/iptables the way you want, and then just drop it in
during %post:

# Setup iptables
cat <<EOF >/etc/sysconfig/iptables
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

### blah ###
more rules
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT


-----Original Message-----
From: kickstart-list-admin redhat com
[mailto:kickstart-list-admin redhat com] On Behalf Of Scott Melnyk
Sent: Thursday, March 13, 2003 7:10 AM
To: kickstart-list redhat com
Subject: iptables and kickstart

I would like to add new default iptables to my kickstart machines that
allow all connections within our subnet and drop everything else. 

our subnet is:

Any thoughts on how best to do this? I would like a default drop of
everything from outside the subnet and accept from within.

I am considering installing a shell script in %post like this:

pull down a file called firewall_rules which is:

service iptables stop

iptables -F

iptables -A INPUT -m limit -j LOG
iptables -A OUTPUT -m limit -j LOG

#let loopback work
iptables -A INPUT -s accept

#here is where I would like to drop all outside packets
iptables -A INPUT -s 130.237.230.xxx/25  (is this correct for
#and what is the best way to drop everything else?

service iptables save

then have it run in firstboot and delete itself.

cat > /etc/init.d/firstboot <<EOF
chkconfig --add iptables

rm -rf /etc/init.d/firstboot /etc/rc5.d/S999firstboot
chmod 755 /etc/init.d/firstboot
ln -s /etc/init.d/firstboot /etc/rc5.d/S999firstboot

I need help with the iptables commands themselves in the firewall_rules
ie  the proper order they should run, and the actual commands.

I have choosen this way of doing everything in firewall_rules so in the
future if I want to change it I can edit the file and ./firewall_rules

Any ideas, thoughts, help?


Kickstart-list mailing list
Kickstart-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]