mstdinc
asked on
iptables startup
I'm trying to alter the default iptables rules that are loading at startup.
as far as I can tell the OS is sourcing the file /etc/sysconfig/iptables which looks like this:
######################## B E G I N F I L E ########################## #######
# Firewall configuration written by system-config-securityleve l
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
######################## E N D F I L E ########################## #######
If I comment out the following lines:
#:RH-Firewall-1-INPUT - [0:0]
#-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
after a reboot iptables starts up without any rules/chains just like i flushed everything, but when I alter /etc/sysconfig/iptables to include my own rules, i.e.
-A INPUT -s 192.168.3.21/32 -d 192.168.3.23/32 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p TCP --dport 80 -j ACCEPT
-A INPUT -j REJECT
the OS can not load (it hangs at "configuring firewall")
what's up with that?
as far as I can tell the OS is sourcing the file /etc/sysconfig/iptables which looks like this:
######################## B E G I N F I L E ##########################
# Firewall configuration written by system-config-securityleve
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
######################## E N D F I L E ##########################
If I comment out the following lines:
#:RH-Firewall-1-INPUT - [0:0]
#-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
after a reboot iptables starts up without any rules/chains just like i flushed everything, but when I alter /etc/sysconfig/iptables to include my own rules, i.e.
-A INPUT -s 192.168.3.21/32 -d 192.168.3.23/32 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p TCP --dport 80 -j ACCEPT
-A INPUT -j REJECT
the OS can not load (it hangs at "configuring firewall")
what's up with that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are only going to use the sysconfig iptables, then use redhat's firewall tool
redhat-config-securityleve l
You can then specify which ports you want open.
If you need something more complex, then use iptables to setup your firewall. I recommend
http://easyfwgen.morizot.net/gen/
to create a base script which you can then use to learn and configure iptables.
Save the generated script as "firewall.sh", then
chmod +x firewall.sh [make the script runnable]
./firewall.sh [load the firewall]
service iptables save [store the current settings for next reboot]
Cheers,
-Bill
redhat-config-securityleve
You can then specify which ports you want open.
If you need something more complex, then use iptables to setup your firewall. I recommend
http://easyfwgen.morizot.net/gen/
to create a base script which you can then use to learn and configure iptables.
Save the generated script as "firewall.sh", then
chmod +x firewall.sh [make the script runnable]
./firewall.sh [load the firewall]
service iptables save [store the current settings for next reboot]
Cheers,
-Bill
thanks
Then try
service iptables start
and see if you get any error messages. Also, one important point is that you have to always allow everything on a local interface:
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
is there for a reason. If you don't do that a lot of services break because they communicate using TCP stack and 127.0.0.1.