Solved

Centos5.3: iptables: help understanding config...

Posted on 2011-03-15
4
482 Views
Last Modified: 2012-05-11
hello experts,

Here is my iptables config script:

------------------
[root@config confserv]# cat /SCRIPTS/myfirewall.sh
#!/bin/bash
#
# iptables configuration script
#
# flush all existing rules
/sbin/iptables -F

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT     #ssh
/sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT    #samba
/sbin/iptables -A INPUT -p tcp --dport 2020 -j ACCEPT   #confserv
/sbin/iptables -A INPUT -p tcp --dport 2021 -j ACCEPT   #confserv mgmt
/sbin/iptables -A INPUT -p tcp --dport 4999 -j ACCEPT   #lca
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
/sbin/iptables -A INPUT -s 192.168.0.1 -j ACCEPT        #ESXi host
/sbin/iptables -A INPUT -s 192.168.0.120 -j ACCEPT      #laptop
/sbin/iptables -A INPUT -s 192.168.0.114 -j ACCEPT      #oracle
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?


/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/service iptables save

/sbin/iptables -L -v
--------------------------------

My question is what are chain #6 and 10?:

[root@config confserv]# /sbin/service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:901
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2020
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2021
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:4999
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                            what is this?
7    ACCEPT     all  --  192.168.0.1          0.0.0.0/0
8    ACCEPT     all  --  192.168.0.120        0.0.0.0/0
9    ACCEPT     all  --  192.168.0.114        0.0.0.0/0
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:903    what is this?
11   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination


thank you experts....

regards,
0
Comment
Question by:epifanio67
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 250 total points
ID: 35143389
6: Accept all packets (tcp, udp) from any IP address to any IP address, no protocol or port specified (restricted)
7: Accept  all packets from IP address 192.168.0.1 to any destination IP address.
8: Same as 7 but the source IP address  is different.
9: Same as previous 2 with different source IP address.
10: Accept only TCP packets from any IP to any IP address with one condition that the target (destination) port number in the packets should be 903
0
 

Author Comment

by:epifanio67
ID: 35147064
thank you Farzani,

So, is #6 a hole in the system?

where, in my rules above, did I do that?

thanks so much for all of your help...

Regards,
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 250 total points
ID: 35147099
Instead of "/sbin/service iptables status" try running "/sbin/iptables -L -nv". It will give you more details about the rule (out/in interface restriction).

Your script adds rule by rule so in the output you can match a rule exactly to a command you issued in the script.
So for rule #6 you can see that the rule is:
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
This accepts all local loopback traffic which is OK.

And rule #10 is:
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?
I have no idea why you have this enabled, however you should have - it could by for VMWare Client console for example or some other things.
0
 

Author Closing Comment

by:epifanio67
ID: 35147829
got it.. thank you experts...

I will disable 903... will see what happens...

thanks again...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now