Solved

Can you explain this firewal rule ?

Posted on 2008-06-18
15
680 Views
Last Modified: 2008-06-23
Can some one please explain these firewall rule ?

[root@server monit-5.0-beta1]# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp
 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
 

Chain RH-Firewall-1-INPUT (2 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere            icmp any

ACCEPT     esp  --  anywhere             anywhere

ACCEPT     ah   --  anywhere             anywhere

ACCEPT     udp  --  anywhere             224.0.0.XX         udp dpt:mdns

ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh

[root@server monit-5.0-beta1]#

Open in new window

0
Comment
Question by:jaisonshereen
  • 8
  • 7
15 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 21819691
INPUT (packet comming locali to this machine) and FORWARD (pacets traversing the machine to other machines) chains redirect all rule processing to the same chain - RH-Firewall-1-INPUT. The default policy for all the chains (INPUT, OUTPUT, FORWARD) is ACCEPT that means if a packet matches no rules it is accepted. Consequently because you have no rules that would DROP or REJECT packets all traffic is ACCEPTed.

In other words - there is no firewalling with these rules.

Do you have some other questions? It is much simpler to answer if you tell why you are asking or what the problem is.
0
 

Author Comment

by:jaisonshereen
ID: 21820418
I have configured a firewall rule in this .. it is just accept the port numbers 25 and 2813 to the firewall rule.

But after adding the line. I couldn't see any differents in the above output of iptables -L. Can you tell me is this the command iptables -L to check the firewall rules.And y the rules are not reflecting in the above tables?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820484
Yes, the two rules are listed in the output - you added them to the INPUT chain. It is the second and the third rule:
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp

dpt:smtp == destination port 25
dpt:atmtcp == destination port 2812

If you want to see port numbers you should write the command:
iptables -L -n

If you want the rules added to the RH-Firewall chain write:
iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
0
 

Author Comment

by:jaisonshereen
ID: 21820529
ok .. what is RH-Firewall ..? is this means simple firewall itself?

I can see input chain,output chain,forward chain ,rh firewall chain

what is the differencee?
0
 

Author Comment

by:jaisonshereen
ID: 21820536
And how erase those two lines that i have added ? i mean i want to undo what i did ..
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820790
There are three predefined packet filtering chains available in IPtables INPUT, OUTPUT and FORWARD. Each chain contains rules what to do with packets and a default policy (what to do with the packet that doesn't mach any rule).

INPUT chain - processes all packet that are destined to the machine
OUTPUT chain - processes all packets that are sent from the machine itself
FORWARD chain - processes all packets that traverse the machine and do not end on the machine itself (if the machine is a gateway, firewall, router)

You can define your own chains - this is the case with RH-Firewall-1-INPUT chain. In your case all packets from INPUT and FORWARD chains go to RH-Firewall-1-INPUT chain where they are processed.

See this HOWTO (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html) that you will better understand how IPtables work
0
 

Author Comment

by:jaisonshereen
ID: 21820865
Thanks for all information.

if i want to block only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:jaisonshereen
ID: 21820869
Thanks for all information.

if i want to block smtp only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820908
First of all (as I already said) your firewall configuration is VERY bad. You actually do not have any firewall, because you accept all the packets.

First of all please tell us where is this firewall used - is it only a one machine protecting itself or is there an entire network behind the machine? What is the network configuration of the machine - which interface is the internet interface and which is the internal interface?

Could you post the contents of the /etc/sysconfig/iptables file - the rules will be more clear and corrections will be simpler.
0
 

Author Comment

by:jaisonshereen
ID: 21821189
There is an entire network behind this machine,,,
eth1 is the ethernet adapter.. however i can see eth0,eth1 and lo

eth0 for private ip
eth1 for public ip
lo for localhost


[root@server sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#


0
 
LVL 16

Expert Comment

by:Blaz
ID: 21821700
Change line:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
To:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

This will ensure that only mail from the internal network will go to the internet.

Mind that as far as I can figure out your configuration the users on your network can't access the web (port 80 and 443)

Whenever changing this file remeber to run
/etc/init.d/iptables restart
# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21821768
Actually i want to do this :

 I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21826200
OK. I will gues somewhat. If allowing all outgoing TCP traffic is an option I would change rule
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
to:
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT

This rule would also cover the smtp traffic from inside so you colde remove the rule:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

You should also add a rule for DNS traffic:
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

PS: If you do not need internet printing and IPSEC packets (VPNs) this rules could be deleted to simplify the firewall.

So iptables file should look like:
# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth0 -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21826233
ok .. thats nice ..

then what about .. not 5432 exposing through the firewall.?
0
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 21828879
Which way you do not want to expose it? From the internet or from intranet?

If from internet then please note that (in any good firewall - and this includes the above rules) all ports are blocked unless explicitly opened. I would really encourage you to read the packet filtering HOWTO to further understand how firewall rules work (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html).

Basically you have a "chain" of rules that are processed one by one (order is important) until one rule conditions matches. In your firewall - if all other rules do not match (all the rules ACCEPT the packet) the last rule is REJECT with no condition. That means if a packet doesn't match any other rule it is rejected.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now