jaisonshereen
asked on
How to revert this firewal configuration?
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT
I used the above commands to open the ports in my firewall ....
actully i done a mistake..
how to revert to original configuration
moreover ... i am not sure port 25 was open before ...
please see the iptables list of the firewall ..before i executing the command ...and let me know i need to revert the port 25 command?
[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.XX udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#
Please help i am newbie in firewall
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT
I used the above commands to open the ports in my firewall ....
actully i done a mistake..
how to revert to original configuration
moreover ... i am not sure port 25 was open before ...
please see the iptables list of the firewall ..before i executing the command ...and let me know i need to revert the port 25 command?
[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.XX udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#
Please help i am newbie in firewall
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no i havent save or edit the files...
so a simple restart of the firewall revert all the configurations ..right?
and two lines that i appended will go away right?
so a simple restart of the firewall revert all the configurations ..right?
and two lines that i appended will go away right?
Yes. Or you could use the commands that arnold suggested.
Note that the two rules have NO effect whatsoever in your current configuration.
Note that the two rules have NO effect whatsoever in your current configuration.
ASKER
what is this in top saying (2 references)
I do not understand you last post. Are you asking what arnold suggested? Just run the two commands:
iptables -D INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
iptables -D INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT
Notice they are the same commands as you have written EXCEPT that they have switch -D which means delete instead of -A which means append
iptables -D INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
iptables -D INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT
Notice they are the same commands as you have written EXCEPT that they have switch -D which means delete instead of -A which means append
ASKER
ok ..i have restarted the sevice ..
below is the iptables list after that ...
do i need to execute the two commands ..again?
Can u tell me what change happened right now in the iptables list ?
below is the iptables list after that ...
do i need to execute the two commands ..again?
Can u tell me what change happened right now in the iptables list ?
[root@server sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.xx udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@server sysconfig]#
The changes do not seem to be reflected. No reference to port 2812 in the list.
The "2 references" might mean that the first item you were adding already exists refer to line 22 of your recent post (i.e. duplicative entry).
The "2 references" might mean that the first item you were adding already exists refer to line 22 of your recent post (i.e. duplicative entry).
It seems that in the output above the two rules were not present at all. But on the other question you have opened they are there:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:atmtcp
Anyhow the two rules you were trying are now gone.
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:atmtcp
Anyhow the two rules you were trying are now gone.
ASKER
Actually i want to do this :
I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
what are the commands that i need to add ?
I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
what are the commands that i need to add ?
It is not clear what you are asking.
Do you need to open access from the outside to a system on the inside for ports 22,80,443?
Unless you enforce outgoing rules, you do not need to do anything.
Your current configuration on the OUTPUT is to accept.
Have a look at the Iptables man pages: http://linux.die.net/man/8/iptables
Besides allowing inbound connection you have to specify where this traffic should go. This is done through the FORWARD mechanism.
http://www.hackorama.com/network/portfwd.shtml
Do you need to open access from the outside to a system on the inside for ports 22,80,443?
Unless you enforce outgoing rules, you do not need to do anything.
Your current configuration on the OUTPUT is to accept.
Have a look at the Iptables man pages: http://linux.die.net/man/8/iptables
Besides allowing inbound connection you have to specify where this traffic should go. This is done through the FORWARD mechanism.
http://www.hackorama.com/network/portfwd.shtml
ASKER
What do u mean by open access from the outside to a system on the inside for ports 22,80,443?
can u explain .. is there anything other than accessing outside?
u mean ....it is already unblocked as per my OUTPUT configuration?
then.. what about blocking 5432 and allowing only 25 port for outgoing?
can u explain .. is there anything other than accessing outside?
u mean ....it is already unblocked as per my OUTPUT configuration?
then.. what about blocking 5432 and allowing only 25 port for outgoing?
Your outgoing traffic is not being processed by iptables.
access from an external source to xxx.xxx.xxx.xxx port 80 needs to be directed to a particular system/s, you have to setup the appropriate FORWARD rules to direct the Traffic to a particular system.
Please visit the links dealing with port forwarding and iptables man page if you want to allow external connections.
Are you using this server as a router for your LAN?
You can change the default rule on the OUTPUT from accept to deny/reject. Make sure that before you alter the default rule, you setup the permitted rules.
i.e. allow output port 25,port 80, port 443. In the command you posted replace INPUT with OUTPUT.
access from an external source to xxx.xxx.xxx.xxx port 80 needs to be directed to a particular system/s, you have to setup the appropriate FORWARD rules to direct the Traffic to a particular system.
Please visit the links dealing with port forwarding and iptables man page if you want to allow external connections.
Are you using this server as a router for your LAN?
You can change the default rule on the OUTPUT from accept to deny/reject. Make sure that before you alter the default rule, you setup the permitted rules.
i.e. allow output port 25,port 80, port 443. In the command you posted replace INPUT with OUTPUT.
ASKER
Will this do ?
I shouldn't let to expose 25 and 5432 through the firewall.
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j REJECT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 5432 -j REJECT
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 443 -j ACCEPT
25 should be kept open for outgoing traffic only.
[root@machine1 monit-5.0-beta1]# iptables -A OUTPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
Please verify and let me know ..
Thanks
I shouldn't let to expose 25 and 5432 through the firewall.
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j REJECT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 5432 -j REJECT
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 443 -j ACCEPT
25 should be kept open for outgoing traffic only.
[root@machine1 monit-5.0-beta1]# iptables -A OUTPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
Please verify and let me know ..
Thanks
Instead of explicitly blocking individual ports, you can change the input policy to reject/deny all except those explicitly specified as allowed similar to what you have on 80,443 and 22..
ASKER
yes thats fine ..please please ..provide me the exact command for that..
You already have blocked all connections but the ones allowed. See the last rule:
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
If a packet does not match any of the previous rules then this rule is used.
However the commands you posted will not work since:
- they operate on INPUT chain instead of RH-Firewall-1-INPUT chain (or at least FORWARD chain)
- the order of the rules is important - the rules for ACCEPTing should be in order before the rule that REJECTs everything
- do they operate on your internal interface - it eth1 your private network interface?
So a better option would be:
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 443 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 25 -j ACCEPT
Also read some howto or tutorial on iptables to further understand how it is working
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
If a packet does not match any of the previous rules then this rule is used.
However the commands you posted will not work since:
- they operate on INPUT chain instead of RH-Firewall-1-INPUT chain (or at least FORWARD chain)
- the order of the rules is important - the rules for ACCEPTing should be in order before the rule that REJECTs everything
- do they operate on your internal interface - it eth1 your private network interface?
So a better option would be:
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 443 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 25 -j ACCEPT
Also read some howto or tutorial on iptables to further understand how it is working
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
ASKER
Blaz ...your above command will work for keep the port 25 for outgoing traffic only?
Yes because the connection must be open from the interface eth0.
ASKER
How to check connection is open from interface eth0?
This condition is a part of the rule (-i eth0)
ASKER
Actually i am confused. I have three interfaces.
One is eth0,eth1,local
eth0 corresponds to private ip
eth1 corresponds to public ip
local corresponds to localhost
in this which one i have to use?
One is eth0,eth1,local
eth0 corresponds to private ip
eth1 corresponds to public ip
local corresponds to localhost
in this which one i have to use?
eth0.
If you are protecting the inner network then the packet establishing the TCP connection commes from private network and passes to the internet. So it will have:
- eth0 as the input interface (-i)
- eth1 as the output interface (-o)
If you are protecting the inner network then the packet establishing the TCP connection commes from private network and passes to the internet. So it will have:
- eth0 as the input interface (-i)
- eth1 as the output interface (-o)
ASKER
Can u give the exact command to do this :
I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note that it always works like that meaning that if you want your rules to stay on the machine you must save them.