Link to home
Start Free TrialLog in
Avatar of jaisonshereen
jaisonshereen

asked on

How to revert this firewal configuration?

[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT


I used the above commands to open the ports in my firewall ....

actully i done a mistake..

how to revert to original configuration

moreover ... i am not sure port 25 was open before ...

please see the iptables list of the firewall ..before i executing the command ...and let me know i need to revert the port 25 command?

[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.XX         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#


Please help i am newbie in firewall
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you didn't do a save of the iptables (iptables-save command) or edited some file (/etc/sysconfig/iptables) you can always revert all rules by restarting the firewal service /etc/init.d/iptables restart or the entire server.

Note that it always works like that meaning that if you want your rules to stay on the machine you must save them.
Avatar of jaisonshereen
jaisonshereen

ASKER

no i  havent save or edit the files...

so a simple restart of the firewall revert all the configurations ..right?
and two lines that i appended will go away right?
Yes. Or you could use the commands that arnold suggested.

Note that the two rules have NO effect whatsoever in your current configuration.
what is this in top saying (2 references)
I do not understand you last post. Are you asking what arnold suggested? Just run the two commands:
iptables -D INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
iptables -D INPUT -i eth1 -p tcp --destination-port 2812 -j ACCEPT

Notice they are the same commands as you have written EXCEPT that they have switch -D which means delete instead of -A which means append
ok ..i have restarted the sevice ..

below is the iptables list after that ...

do i need to execute the two commands ..again?

Can u tell me what change happened right now in the iptables list ?



[root@server sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.xx         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
[root@server sysconfig]#

Open in new window

The changes do not seem to be reflected.  No reference to port 2812 in the list.
The "2 references" might mean that the first item you were adding already exists refer to line 22 of your recent post (i.e. duplicative entry).
It seems that in the output above the two rules were not present at all. But on the other question you have opened they are there:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp


Anyhow the two rules you were trying are now gone.

Actually i want to do this :

 I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.


what are the commands that i need to add ?

It is not clear what you are asking.
Do you need to open access from the outside to a system on the inside for ports 22,80,443?

Unless you enforce outgoing rules, you do not need to do anything.

Your current configuration on the OUTPUT is to accept.

Have a look at the Iptables man pages: http://linux.die.net/man/8/iptables

Besides allowing inbound connection you have to specify where this traffic should go.  This is done through the FORWARD mechanism.
http://www.hackorama.com/network/portfwd.shtml
What do u mean by open access from the outside to a system on the inside for ports 22,80,443?

can u explain .. is there anything other than accessing outside?

u mean ....it is already unblocked as per my OUTPUT configuration?

then.. what about blocking 5432  and allowing only 25 port for outgoing?
Your outgoing traffic is not being processed by iptables.

access from an external source to xxx.xxx.xxx.xxx port 80 needs to be directed to a particular system/s, you have to setup the appropriate FORWARD rules to direct the Traffic to a particular system.

Please visit the links dealing with port forwarding and iptables man page  if you want to allow external connections.
Are you using this server as a router for your LAN?

You can change the default rule on the OUTPUT from accept to deny/reject.  Make sure that before you alter the default rule, you setup the permitted rules.
i.e. allow output port 25,port 80, port 443.  In the command you posted replace INPUT with OUTPUT.
Will this do ?

 I shouldn't let to expose 25 and 5432 through the firewall.

[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 25 -j REJECT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 5432 -j REJECT

I need to unblock ports 22 for ssh, 80 for http and 443 for https.

[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -A INPUT -i eth1 -p tcp --destination-port 443 -j ACCEPT

25 should be kept open for outgoing traffic only.

[root@machine1 monit-5.0-beta1]# iptables -A OUTPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT


Please verify and let me know ..

Thanks
Instead of explicitly blocking individual ports, you can change the input policy to reject/deny all except those explicitly specified as allowed similar to what you have on 80,443 and 22..

yes thats fine ..please please ..provide me the exact command for that..
You already have blocked all connections but the ones allowed. See the last rule:
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

If a packet does not match any of the previous rules then this rule is used.

However the commands you posted will not work since:
- they operate on INPUT chain instead of RH-Firewall-1-INPUT chain (or at least FORWARD chain)
- the order of the rules is important - the rules for ACCEPTing should be in order before the rule that REJECTs everything
- do they operate on your internal interface - it eth1 your private network interface?

So a better option would be:
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 443 -j ACCEPT
[root@machine1 monit-5.0-beta1]# iptables -I RH-Firewall-1-INPUT -i eth0 -p tcp --destination-port 25 -j ACCEPT

Also read some howto or tutorial on iptables to further understand how it is working
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
Blaz ...your above command will work for keep the port 25 for outgoing traffic only?
Yes because the connection must be open from the interface eth0.
How to check connection is open from interface eth0?
This condition is a part of the rule (-i eth0)
Actually i am confused. I have three interfaces.

One is eth0,eth1,local

eth0 corresponds to private ip
eth1 corresponds to public ip
local corresponds to localhost

in this which one i have to use?
eth0.

If you are protecting the inner network then the packet establishing the TCP connection commes from private network and passes to the internet. So it will have:
- eth0 as the input interface (-i)
- eth1 as the output interface (-o)
Can u give the exact command to do this :

I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial