Solved

Centos5.3: iptables: help understanding config...

Posted on 2011-03-15
4
485 Views
Last Modified: 2012-05-11
hello experts,

Here is my iptables config script:

------------------
[root@config confserv]# cat /SCRIPTS/myfirewall.sh
#!/bin/bash
#
# iptables configuration script
#
# flush all existing rules
/sbin/iptables -F

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT     #ssh
/sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT    #samba
/sbin/iptables -A INPUT -p tcp --dport 2020 -j ACCEPT   #confserv
/sbin/iptables -A INPUT -p tcp --dport 2021 -j ACCEPT   #confserv mgmt
/sbin/iptables -A INPUT -p tcp --dport 4999 -j ACCEPT   #lca
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
/sbin/iptables -A INPUT -s 192.168.0.1 -j ACCEPT        #ESXi host
/sbin/iptables -A INPUT -s 192.168.0.120 -j ACCEPT      #laptop
/sbin/iptables -A INPUT -s 192.168.0.114 -j ACCEPT      #oracle
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?


/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/service iptables save

/sbin/iptables -L -v
--------------------------------

My question is what are chain #6 and 10?:

[root@config confserv]# /sbin/service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:901
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2020
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2021
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:4999
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                            what is this?
7    ACCEPT     all  --  192.168.0.1          0.0.0.0/0
8    ACCEPT     all  --  192.168.0.120        0.0.0.0/0
9    ACCEPT     all  --  192.168.0.114        0.0.0.0/0
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:903    what is this?
11   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination


thank you experts....

regards,
0
Comment
Question by:epifanio67
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 250 total points
ID: 35143389
6: Accept all packets (tcp, udp) from any IP address to any IP address, no protocol or port specified (restricted)
7: Accept  all packets from IP address 192.168.0.1 to any destination IP address.
8: Same as 7 but the source IP address  is different.
9: Same as previous 2 with different source IP address.
10: Accept only TCP packets from any IP to any IP address with one condition that the target (destination) port number in the packets should be 903
0
 

Author Comment

by:epifanio67
ID: 35147064
thank you Farzani,

So, is #6 a hole in the system?

where, in my rules above, did I do that?

thanks so much for all of your help...

Regards,
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 250 total points
ID: 35147099
Instead of "/sbin/service iptables status" try running "/sbin/iptables -L -nv". It will give you more details about the rule (out/in interface restriction).

Your script adds rule by rule so in the output you can match a rule exactly to a command you issued in the script.
So for rule #6 you can see that the rule is:
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
This accepts all local loopback traffic which is OK.

And rule #10 is:
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?
I have no idea why you have this enabled, however you should have - it could by for VMWare Client console for example or some other things.
0
 

Author Closing Comment

by:epifanio67
ID: 35147829
got it.. thank you experts...

I will disable 903... will see what happens...

thanks again...
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now