Solved

Can you explain this firewal rule ?

Posted on 2008-06-18
15
699 Views
Last Modified: 2008-06-23
Can some one please explain these firewall rule ?

[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.XX         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#

Open in new window

0
Comment
Question by:jaisonshereen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 21819691
INPUT (packet comming locali to this machine) and FORWARD (pacets traversing the machine to other machines) chains redirect all rule processing to the same chain - RH-Firewall-1-INPUT. The default policy for all the chains (INPUT, OUTPUT, FORWARD) is ACCEPT that means if a packet matches no rules it is accepted. Consequently because you have no rules that would DROP or REJECT packets all traffic is ACCEPTed.

In other words - there is no firewalling with these rules.

Do you have some other questions? It is much simpler to answer if you tell why you are asking or what the problem is.
0
 

Author Comment

by:jaisonshereen
ID: 21820418
I have configured a firewall rule in this .. it is just accept the port numbers 25 and 2813 to the firewall rule.

But after adding the line. I couldn't see any differents in the above output of iptables -L. Can you tell me is this the command iptables -L to check the firewall rules.And y the rules are not reflecting in the above tables?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820484
Yes, the two rules are listed in the output - you added them to the INPUT chain. It is the second and the third rule:
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp

dpt:smtp == destination port 25
dpt:atmtcp == destination port 2812

If you want to see port numbers you should write the command:
iptables -L -n

If you want the rules added to the RH-Firewall chain write:
iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:jaisonshereen
ID: 21820529
ok .. what is RH-Firewall ..? is this means simple firewall itself?

I can see input chain,output chain,forward chain ,rh firewall chain

what is the differencee?
0
 

Author Comment

by:jaisonshereen
ID: 21820536
And how erase those two lines that i have added ? i mean i want to undo what i did ..
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820790
There are three predefined packet filtering chains available in IPtables INPUT, OUTPUT and FORWARD. Each chain contains rules what to do with packets and a default policy (what to do with the packet that doesn't mach any rule).

INPUT chain - processes all packet that are destined to the machine
OUTPUT chain - processes all packets that are sent from the machine itself
FORWARD chain - processes all packets that traverse the machine and do not end on the machine itself (if the machine is a gateway, firewall, router)

You can define your own chains - this is the case with RH-Firewall-1-INPUT chain. In your case all packets from INPUT and FORWARD chains go to RH-Firewall-1-INPUT chain where they are processed.

See this HOWTO (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html) that you will better understand how IPtables work
0
 

Author Comment

by:jaisonshereen
ID: 21820865
Thanks for all information.

if i want to block only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
 

Author Comment

by:jaisonshereen
ID: 21820869
Thanks for all information.

if i want to block smtp only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820908
First of all (as I already said) your firewall configuration is VERY bad. You actually do not have any firewall, because you accept all the packets.

First of all please tell us where is this firewall used - is it only a one machine protecting itself or is there an entire network behind the machine? What is the network configuration of the machine - which interface is the internet interface and which is the internal interface?

Could you post the contents of the /etc/sysconfig/iptables file - the rules will be more clear and corrections will be simpler.
0
 

Author Comment

by:jaisonshereen
ID: 21821189
There is an entire network behind this machine,,,
eth1 is the ethernet adapter.. however i can see eth0,eth1 and lo

eth0 for private ip
eth1 for public ip
lo for localhost


[root@server sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#


0
 
LVL 16

Expert Comment

by:Blaz
ID: 21821700
Change line:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
To:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

This will ensure that only mail from the internal network will go to the internet.

Mind that as far as I can figure out your configuration the users on your network can't access the web (port 80 and 443)

Whenever changing this file remeber to run
/etc/init.d/iptables restart
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21821768
Actually i want to do this :

 I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21826200
OK. I will gues somewhat. If allowing all outgoing TCP traffic is an option I would change rule
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
to:
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT

This rule would also cover the smtp traffic from inside so you colde remove the rule:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

You should also add a rule for DNS traffic:
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

PS: If you do not need internet printing and IPSEC packets (VPNs) this rules could be deleted to simplify the firewall.

So iptables file should look like:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21826233
ok .. thats nice ..

then what about .. not 5432 exposing through the firewall.?
0
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 21828879
Which way you do not want to expose it? From the internet or from intranet?

If from internet then please note that (in any good firewall - and this includes the above rules) all ports are blocked unless explicitly opened. I would really encourage you to read the packet filtering HOWTO to further understand how firewall rules work (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html).

Basically you have a "chain" of rules that are processed one by one (order is important) until one rule conditions matches. In your firewall - if all other rules do not match (all the rules ACCEPT the packet) the last rule is REJECT with no condition. That means if a packet doesn't match any other rule it is rejected.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question