[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: iptables and kickstart



I think the easiest way to do this is just to configure
/etc/sysconfig/iptables the way you want, and then just drop it in
during %post:

# Setup iptables
cat <<EOF >/etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

### blah ###
more rules
#############
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
EOF

-Mark

-----Original Message-----
From: kickstart-list-admin redhat com
[mailto:kickstart-list-admin redhat com] On Behalf Of Scott Melnyk
Sent: Thursday, March 13, 2003 7:10 AM
To: kickstart-list redhat com
Subject: iptables and kickstart

Hello,
I would like to add new default iptables to my kickstart machines that
allow all connections within our subnet and drop everything else. 

our subnet is:
130.237.230.xxx/255.255.255.128

Any thoughts on how best to do this? I would like a default drop of
everything from outside the subnet and accept from within.

I am considering installing a shell script in %post like this:

pull down a file called firewall_rules which is:

#!/bin/bash
service iptables stop


iptables -F

iptables -A INPUT -m limit -j LOG
iptables -A OUTPUT -m limit -j LOG

#let loopback work
iptables -A INPUT -s 127.000.000.000 accept

#here is where I would like to drop all outside packets
iptables -A INPUT -s 130.237.230.xxx/25  (is this correct for
255.255.255.128?)
#and what is the best way to drop everything else?

service iptables save

then have it run in firstboot and delete itself.

cat > /etc/init.d/firstboot <<EOF
/root/firewall_rules
chkconfig --add iptables

rm -rf /etc/init.d/firstboot /etc/rc5.d/S999firstboot
EOF
chmod 755 /etc/init.d/firstboot
ln -s /etc/init.d/firstboot /etc/rc5.d/S999firstboot


I need help with the iptables commands themselves in the firewall_rules
ie  the proper order they should run, and the actual commands.

I have choosen this way of doing everything in firewall_rules so in the
future if I want to change it I can edit the file and ./firewall_rules

Any ideas, thoughts, help?

Thanks,
Scott



_______________________________________________
Kickstart-list mailing list
Kickstart-list redhat com
https://listman.redhat.com/mailman/listinfo/kickstart-list






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]