[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Can you explain this firewal rule ?

Posted on 2008-06-18
15
Medium Priority
?
708 Views
Last Modified: 2008-06-23
Can some one please explain these firewall rule ?

[root@server monit-5.0-beta1]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.XX         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
[root@server monit-5.0-beta1]#

Open in new window

0
Comment
Question by:jaisonshereen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 21819691
INPUT (packet comming locali to this machine) and FORWARD (pacets traversing the machine to other machines) chains redirect all rule processing to the same chain - RH-Firewall-1-INPUT. The default policy for all the chains (INPUT, OUTPUT, FORWARD) is ACCEPT that means if a packet matches no rules it is accepted. Consequently because you have no rules that would DROP or REJECT packets all traffic is ACCEPTed.

In other words - there is no firewalling with these rules.

Do you have some other questions? It is much simpler to answer if you tell why you are asking or what the problem is.
0
 

Author Comment

by:jaisonshereen
ID: 21820418
I have configured a firewall rule in this .. it is just accept the port numbers 25 and 2813 to the firewall rule.

But after adding the line. I couldn't see any differents in the above output of iptables -L. Can you tell me is this the command iptables -L to check the firewall rules.And y the rules are not reflecting in the above tables?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820484
Yes, the two rules are listed in the output - you added them to the INPUT chain. It is the second and the third rule:
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:atmtcp

dpt:smtp == destination port 25
dpt:atmtcp == destination port 2812

If you want to see port numbers you should write the command:
iptables -L -n

If you want the rules added to the RH-Firewall chain write:
iptables -A RH-Firewall-1-INPUT -i eth1 -p tcp --destination-port 25 -j ACCEPT
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:jaisonshereen
ID: 21820529
ok .. what is RH-Firewall ..? is this means simple firewall itself?

I can see input chain,output chain,forward chain ,rh firewall chain

what is the differencee?
0
 

Author Comment

by:jaisonshereen
ID: 21820536
And how erase those two lines that i have added ? i mean i want to undo what i did ..
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820790
There are three predefined packet filtering chains available in IPtables INPUT, OUTPUT and FORWARD. Each chain contains rules what to do with packets and a default policy (what to do with the packet that doesn't mach any rule).

INPUT chain - processes all packet that are destined to the machine
OUTPUT chain - processes all packets that are sent from the machine itself
FORWARD chain - processes all packets that traverse the machine and do not end on the machine itself (if the machine is a gateway, firewall, router)

You can define your own chains - this is the case with RH-Firewall-1-INPUT chain. In your case all packets from INPUT and FORWARD chains go to RH-Firewall-1-INPUT chain where they are processed.

See this HOWTO (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html) that you will better understand how IPtables work
0
 

Author Comment

by:jaisonshereen
ID: 21820865
Thanks for all information.

if i want to block only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
 

Author Comment

by:jaisonshereen
ID: 21820869
Thanks for all information.

if i want to block smtp only for incomming and need to unblock in outgoing,,,

i need to edit INPUT and OUTPUT right..? what command i can use..?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21820908
First of all (as I already said) your firewall configuration is VERY bad. You actually do not have any firewall, because you accept all the packets.

First of all please tell us where is this firewall used - is it only a one machine protecting itself or is there an entire network behind the machine? What is the network configuration of the machine - which interface is the internet interface and which is the internal interface?

Could you post the contents of the /etc/sysconfig/iptables file - the rules will be more clear and corrections will be simpler.
0
 

Author Comment

by:jaisonshereen
ID: 21821189
There is an entire network behind this machine,,,
eth1 is the ethernet adapter.. however i can see eth0,eth1 and lo

eth0 for private ip
eth1 for public ip
lo for localhost


[root@server sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@server sysconfig]#


0
 
LVL 16

Expert Comment

by:Blaz
ID: 21821700
Change line:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
To:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

This will ensure that only mail from the internal network will go to the internet.

Mind that as far as I can figure out your configuration the users on your network can't access the web (port 80 and 443)

Whenever changing this file remeber to run
/etc/init.d/iptables restart
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21821768
Actually i want to do this :

 I shouldn't let to expose 25 and 5432 through the firewall.
I need to unblock ports 22 for ssh, 80 for http and 443 for https.
25 should be kept open for outgoing traffic only.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 21826200
OK. I will gues somewhat. If allowing all outgoing TCP traffic is an option I would change rule
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
to:
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT

This rule would also cover the smtp traffic from inside so you colde remove the rule:
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

You should also add a rule for DNS traffic:
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT

PS: If you do not need internet printing and IPSEC packets (VPNs) this rules could be deleted to simplify the firewall.

So iptables file should look like:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp --dport 5353 -d 224.xx.0.xx -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p tcp -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Open in new window

0
 

Author Comment

by:jaisonshereen
ID: 21826233
ok .. thats nice ..

then what about .. not 5432 exposing through the firewall.?
0
 
LVL 16

Accepted Solution

by:
Blaz earned 2000 total points
ID: 21828879
Which way you do not want to expose it? From the internet or from intranet?

If from internet then please note that (in any good firewall - and this includes the above rules) all ports are blocked unless explicitly opened. I would really encourage you to read the packet filtering HOWTO to further understand how firewall rules work (http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html).

Basically you have a "chain" of rules that are processed one by one (order is important) until one rule conditions matches. In your firewall - if all other rules do not match (all the rules ACCEPT the packet) the last rule is REJECT with no condition. That means if a packet doesn't match any other rule it is rejected.
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question