jaisonshereen
asked on
How to edit firewall rule for this ?
I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
I want to edit iptables accordingly.
Please advice. I am using GNU/Linux
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
I want to edit iptables accordingly.
Please advice. I am using GNU/Linux
ASKER
Hi,
I am a newbie in linux.Please explain in detail.
Do you have any outgoing ports blocked?
How to check this?
The question here is
I shouldn't let to expose 25 and 5432 through the firewall. ---------> mean expect 25 and 5432 everything i can allow.Please provide the command for this.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.---> means unblock 22 and 80 433 ..right?
Please provide the command.
25 should be kept open for outgoing traffic only.---> means we already blocked 25 we need to allow this for outgoing only right?Please provide the command.
I am a newbie in linux.Please explain in detail.
Do you have any outgoing ports blocked?
How to check this?
The question here is
I shouldn't let to expose 25 and 5432 through the firewall. ---------> mean expect 25 and 5432 everything i can allow.Please provide the command for this.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.---> means unblock 22 and 80 433 ..right?
Please provide the command.
25 should be kept open for outgoing traffic only.---> means we already blocked 25 we need to allow this for outgoing only right?Please provide the command.
I don't block any outgoing connections and have never looked up how to do that. Consult the iptables / netfilter man pages and kernel source documentation to find out how to do it and whether it's in effect just now.
To give you more explicit commands I need to know: do you want incoming port 25 (and the others) to the system running iptables? Or do you want it on some other system on a lan that the iptables system routes to?
To give you more explicit commands I need to know: do you want incoming port 25 (and the others) to the system running iptables? Or do you want it on some other system on a lan that the iptables system routes to?
ASKER
do you want incoming port 25 (and the others) to the system running iptables?
Yes
Or do you want it on some other system on a lan that the iptables system routes to?
No
How to check any outgoing ports are blocked?
Yes
Or do you want it on some other system on a lan that the iptables system routes to?
No
How to check any outgoing ports are blocked?
I assume you are using eth0 for your connection. "ifconfig" will confirm this. A rule to open port 22:
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
Put this rule first (or early on).
I do not know how 25 outgoing is blocked. Please post all the rules that you have and I'll have a try.
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
Put this rule first (or early on).
I do not know how 25 outgoing is blocked. Please post all the rules that you have and I'll have a try.
ASKER
This is what iptables list :
Can u tell me each entry what it means:
Can u tell me each entry what it means:
[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#
No. I don't find the output from "iptables -L" particularly helpful actually. What I wanted you to post was your rules files. Please do that.
ASKER
root@server sysconfig]# cat iptables
# Firewall configuration written by system-config-securityleve l
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#
# Firewall configuration written by system-config-securityleve
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#
Thanks for that. I'm not familiar with the Red Hat configuration system - was hoping to see the actual iptables command lines (which is how I configure it). But you might have trouble getting these.
Actually the -A lines look like they are the arguments to iptables. Maybe I can make sense of this after work (have to go now)
Actually the -A lines look like they are the arguments to iptables. Maybe I can make sense of this after work (have to go now)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For incoming calls, you have to decide which host is to receive the call - i.e. when the external interface is called on port 25 then that is forwarded and Network Address Translated (NAT'd) to a specific interface and host on that interface. If you want it to come in to the box running iptables, change the filter rule. Examples below
Open in new window