Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 479
  • Last Modified:

iptables startup

I'm trying to alter the default iptables rules that are loading at startup.

as far as I can tell the OS is sourcing the file /etc/sysconfig/iptables which looks like this:

######################## B E G I N   F I L E #################################
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
######################## E N D   F I L E #################################

If I comment out the following lines:

#:RH-Firewall-1-INPUT - [0:0]
#-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

after a reboot iptables starts up without any rules/chains just like i flushed everything, but when I alter /etc/sysconfig/iptables to include my own rules, i.e.

-A INPUT -s 192.168.3.21/32 -d 192.168.3.23/32 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p TCP --dport 80 -j ACCEPT
-A INPUT -j REJECT

the OS can not load (it hangs at "configuring firewall")

what's up with that?
0
mstdinc
Asked:
mstdinc
  • 2
1 Solution
 
m1tk4Commented:
try booting in "Interactive" mode (press "I" during startup) and skip starting iptables.

Then try

service iptables start

and see if you get any error messages. Also, one important point is that you have to always allow everything on a local interface:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

is there for a reason. If you don't do that a lot of services break because they communicate using TCP stack and 127.0.0.1.
0
 
Gabriel OrozcoSolution ArchitectCommented:
your problem is you never specified the table to use :-)

you can add something like
-----------------------------------------------------------------------------------------
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.3.21/32 -d 192.168.3.23/32 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p TCP --dport 80 -j ACCEPT
-----------------------------------------------------------------------------------------
it could work.

But I would prefer to delete everything, start like with no rules as you posted, and then issue all the commands you need. once finished, you only need an iptables-save to store your changes to the iptables file ( I assume this is a web server machine not for internet sharing lookig at your rules):

- start with no rules
- apply default policys
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -s 192.168.3.21/32 -d 192.168.3.23/32 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables-save

this would do what you want in a clean way if the previus try does not work =)
0
 
wnrossCommented:
If you are only going to use the sysconfig iptables, then use redhat's firewall tool
  redhat-config-securitylevel
You can then specify which ports you want open.

If you need something more complex, then use iptables to setup your firewall.  I recommend

http://easyfwgen.morizot.net/gen/

to create a base script which you can then use to learn and configure iptables.

Save the generated script as "firewall.sh", then
chmod +x firewall.sh          [make the script runnable]
./firewall.sh                       [load the firewall]
service iptables save          [store the current settings for next reboot]

Cheers,
-Bill
0
 
Gabriel OrozcoSolution ArchitectCommented:
thanks
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now