Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 716
  • Last Modified:

Can you explain this firewal rule ?

Can some one please explain these firewall rule ?

[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.XX         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#

Open in new window

0
jaisonshereen
Asked:
jaisonshereen
  • 8
  • 7
1 Solution
 
BlazCommented:
INPUT (packet comming locali to this machine) and FORWARD (pacets traversing the machine to other machines) chains redirect all rule processing to the same chain - RH-Firewall-1-INPUT. The default policy for all the chains (INPUT, OUTPUT, FORWARD) is ACCEPT that means if a packet matches no rules it is accepted. Consequently because you have no rules that would DROP or REJECT packets all traffic is ACCEPTed.

In other words - there is no firewalling with these rules.

Do you have some other questions? It is much simpler to answer if you tell why you are asking or what the problem is.
0
 
jaisonshereenAuthor Commented:
I have configured a firewall rule in this .. it is just accept the port numbers 25 and 2813 to the firewall rule.

But after adding the line. I couldn't see any differents in the above output of iptables -L. Can you tell me is this the command iptables -L to check the firewall rules.And y the rules are not reflecting in the above tables?
0
 
BlazCommented:
Yes, the two rules are listed in the output - you added them to the INPUT chain. It is the second and the third rule:
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp

dpt:smtp == destination port 25
dpt:atmtcp == destination port 2812

If you want to see port numbers you should write the command:
iptables -L -n

If you want the rules added to the RH-Firewall chain write:
iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
0
Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

 
jaisonshereenAuthor Commented:
ok .. what is RH-Firewall ..? is this means simple firewall itself?

I can see input chain,output chain,forward chain ,rh firewall chain

what is the differencee?
0
 
jaisonshereenAuthor Commented:
And how erase those two lines that i have added ? i mean i want to undo what i did ..
0
 
BlazCommented:
There are three predefined packet filtering chains available in IPtables INPUT, OUTPUT and FORWARD. Each chain contains rules what to do with packets and a default policy (what to do with the packet that doesn't mach any rule).

INPUT chain - processes all packet that are destined to the machine
OUTPUT chain - processes all packets that are sent from the machine itself
FORWARD chain - processes all packets that traverse the machine and do not end on the machine itself (if the machine is a gateway, firewall, router)

You can define your own chains - this is the case with RH-Firewall-1-INPUT chain. In your case all packets from INPUT and FORWARD chains go to RH-Firewall-1-INPUT chain where they are processed.

See this HOWTO (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html) that you will better understand how IPtables work
0
 
jaisonshereenAuthor Commented:
Thanks for all information.

if i want to block only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
 
jaisonshereenAuthor Commented:
Thanks for all information.

if i want to block smtp only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
 
BlazCommented:
First of all (as I already said) your firewall configuration is VERY bad. You actually do not have any firewall, because you accept all the packets.

First of all please tell us where is this firewall used - is it only a one machine protecting itself or is there an entire network behind the machine? What is the network configuration of the machine - which interface is the internet interface and which is the internal interface?

Could you post the contents of the /etc/sysconfig/iptables file - the rules will be more clear and corrections will be simpler.
0
 
jaisonshereenAuthor Commented:
There is an entire network behind this machine,,,
eth1 is the ethernet adapter.. however i can see eth0,eth1 and lo

eth0 for private ip
eth1 for public ip
lo for localhost


[root@server sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#


0
 
BlazCommented:
Change line:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
To:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

This will ensure that only mail from the internal network will go to the internet.

Mind that as far as I can figure out your configuration the users on your network can't access the web (port 80 and 443)

Whenever changing this file remeber to run
/etc/init.d/iptables restart
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Open in new window

0
 
jaisonshereenAuthor Commented:
Actually i want to do this :

 I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
0
 
BlazCommented:
OK. I will gues somewhat. If allowing all outgoing TCP traffic is an option I would change rule
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
to:
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT

This rule would also cover the smtp traffic from inside so you colde remove the rule:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

You should also add a rule for DNS traffic:
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

PS: If you do not need internet printing and IPSEC packets (VPNs) this rules could be deleted to simplify the firewall.

So iptables file should look like:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Open in new window

0
 
jaisonshereenAuthor Commented:
ok .. thats nice ..

then what about .. not 5432 exposing through the firewall.?
0
 
BlazCommented:
Which way you do not want to expose it? From the internet or from intranet?

If from internet then please note that (in any good firewall - and this includes the above rules) all ports are blocked unless explicitly opened. I would really encourage you to read the packet filtering HOWTO to further understand how firewall rules work (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html).

Basically you have a "chain" of rules that are processed one by one (order is important) until one rule conditions matches. In your firewall - if all other rules do not match (all the rules ACCEPT the packet) the last rule is REJECT with no condition. That means if a packet doesn't match any other rule it is rejected.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now