Solved

How to revert this firewal configuration?

Posted on 2008-06-18
25
682 Views
Last Modified: 2010-04-22
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT


I used the above commands to open the ports in my firewall ....

actully i done a mistake..

how to revert to original configuration

moreover ... i am not sure port 25 was open before ...

please see the iptables list of the firewall ..before i executing the command ...and let me know i need to revert the port 25 command?

[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.XX         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#


Please help i am newbie in firewall
0
Comment
Question by:jaisonshereen
  • 11
  • 9
  • 5
25 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
Comment Utility
iptables -D INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
iptables -D INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT

0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
If you didn't do a save of the iptables (iptables-save command) or edited some file (/etc/sysconfig/iptables) you can always revert all rules by restarting the firewal service /etc/init.d/iptables restart or the entire server.

Note that it always works like that meaning that if you want your rules to stay on the machine you must save them.
0
 

Author Comment

by:jaisonshereen
Comment Utility
no i  havent save or edit the files...

so a simple restart of the firewall revert all the configurations ..right?
and two lines that i appended will go away right?
0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
Yes. Or you could use the commands that arnold suggested.

Note that the two rules have NO effect whatsoever in your current configuration.
0
 

Author Comment

by:jaisonshereen
Comment Utility
what is this in top saying (2 references)
0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
I do not understand you last post. Are you asking what arnold suggested? Just run the two commands:
iptables -D INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
iptables -D INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT

Notice they are the same commands as you have written EXCEPT that they have switch -D which means delete instead of -A which means append
0
 

Author Comment

by:jaisonshereen
Comment Utility
ok ..i have restarted the sevice ..

below is the iptables list after that ...

do i need to execute the two commands ..again?

Can u tell me what change happened right now in the iptables list ?



[root@server sysconfig]# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
 

Chain RH-Firewall-1-INPUT (2 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere            icmp any

ACCEPT     esp  --  anywhere             anywhere

ACCEPT     ah   --  anywhere             anywhere

ACCEPT     udp  --  anywhere             224.0.0.xx         udp dpt:mdns

ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

[root@server sysconfig]#

Open in new window

0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The changes do not seem to be reflected.  No reference to port 2812 in the list.
The "2 references" might mean that the first item you were adding already exists refer to line 22 of your recent post (i.e. duplicative entry).
0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
It seems that in the output above the two rules were not present at all. But on the other question you have opened they are there:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp


Anyhow the two rules you were trying are now gone.

0
 

Author Comment

by:jaisonshereen
Comment Utility
Actually i want to do this :

 I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.


what are the commands that i need to add ?

0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
It is not clear what you are asking.
Do you need to open access from the outside to a system on the inside for ports 22,80,443?

Unless you enforce outgoing rules, you do not need to do anything.

Your current configuration on the OUTPUT is to accept.

Have a look at the Iptables man pages: http://linux.die.net/man/8/iptables

Besides allowing inbound connection you have to specify where this traffic should go.  This is done through the FORWARD mechanism.
http://www.hackorama.com/network/portfwd.shtml
0
 

Author Comment

by:jaisonshereen
Comment Utility
What do u mean by open access from the outside to a system on the inside for ports 22,80,443?

can u explain .. is there anything other than accessing outside?

u mean ....it is already unblocked as per my OUTPUT configuration?

then.. what about blocking 5432  and allowing only 25 port for outgoing?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
Your outgoing traffic is not being processed by iptables.

access from an external source to xxx.xxx.xxx.xxx port 80 needs to be directed to a particular system/s, you have to setup the appropriate FORWARD rules to direct the Traffic to a particular system.

Please visit the links dealing with port forwarding and iptables man page  if you want to allow external connections.
Are you using this server as a router for your LAN?

You can change the default rule on the OUTPUT from accept to deny/reject.  Make sure that before you alter the default rule, you setup the permitted rules.
i.e. allow output port 25,port 80, port 443.  In the command you posted replace INPUT with OUTPUT.
0
 

Author Comment

by:jaisonshereen
Comment Utility
Will this do ?

 I shouldn't let to expose 25 and 5432 through the firewall.

[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j REJECT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 5432 -j REJECT

I need to unblock ports 22 for ssh, 80 for http and 443 for https.

[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 443 -j ACCEPT

25 should be kept open for outgoing traffic only.

[root@machine1 monit-5.0-beta1]# iptables -A OUTPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT


Please verify and let me know ..

Thanks
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Instead of explicitly blocking individual ports, you can change the input policy to reject/deny all except those explicitly specified as allowed similar to what you have on 80,443 and 22..

0
 

Author Comment

by:jaisonshereen
Comment Utility
yes thats fine ..please please ..provide me the exact command for that..
0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
You already have blocked all connections but the ones allowed. See the last rule:
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

If a packet does not match any of the previous rules then this rule is used.

However the commands you posted will not work since:
- they operate on INPUT chain instead of RH-Firewall-1-INPUT chain (or at least FORWARD chain)
- the order of the rules is important - the rules for ACCEPTing should be in order before the rule that REJECTs everything
- do they operate on your internal interface - it eth1 your private network interface?

So a better option would be:
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 443 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 25 -j ACCEPT

Also read some howto or tutorial on iptables to further understand how it is working
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
0
 

Author Comment

by:jaisonshereen
Comment Utility
Blaz ...your above command will work for keep the port 25 for outgoing traffic only?
0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
Yes because the connection must be open from the interface eth0.
0
 

Author Comment

by:jaisonshereen
Comment Utility
How to check connection is open from interface eth0?
0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
This condition is a part of the rule (-i eth0)
0
 

Author Comment

by:jaisonshereen
Comment Utility
Actually i am confused. I have three interfaces.

One is eth0,eth1,local

eth0 corresponds to private ip
eth1 corresponds to public ip
local corresponds to localhost

in this which one i have to use?
0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
eth0.

If you are protecting the inner network then the packet establishing the TCP connection commes from private network and passes to the internet. So it will have:
- eth0 as the input interface (-i)
- eth1 as the output interface (-o)
0
 

Author Comment

by:jaisonshereen
Comment Utility
Can u give the exact command to do this :

I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 250 total points
Comment Utility
I have already given you the commands:
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 443 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 25 -j ACCEPT

This opens outgoing connections to ssh (port 22), web (ports 80 and 443) and smtp (port 25).

All the incoming ports are blocked by default but you could write special rules if you like:
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth1 -p tcp --destination-port 25 -j DROP
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth1 -p tcp --destination-port 5432 -j DROP
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now