Solved

Centos5.3: iptables: help understanding config...

Posted on 2011-03-15
4
488 Views
Last Modified: 2012-05-11
hello experts,

Here is my iptables config script:

------------------
[root@config confserv]# cat /SCRIPTS/myfirewall.sh
#!/bin/bash
#
# iptables configuration script
#
# flush all existing rules
/sbin/iptables -F

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT     #ssh
/sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT    #samba
/sbin/iptables -A INPUT -p tcp --dport 2020 -j ACCEPT   #confserv
/sbin/iptables -A INPUT -p tcp --dport 2021 -j ACCEPT   #confserv mgmt
/sbin/iptables -A INPUT -p tcp --dport 4999 -j ACCEPT   #lca
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
/sbin/iptables -A INPUT -s 192.168.0.1 -j ACCEPT        #ESXi host
/sbin/iptables -A INPUT -s 192.168.0.120 -j ACCEPT      #laptop
/sbin/iptables -A INPUT -s 192.168.0.114 -j ACCEPT      #oracle
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?


/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/service iptables save

/sbin/iptables -L -v
--------------------------------

My question is what are chain #6 and 10?:

[root@config confserv]# /sbin/service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:901
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2020
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2021
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:4999
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                            what is this?
7    ACCEPT     all  --  192.168.0.1          0.0.0.0/0
8    ACCEPT     all  --  192.168.0.120        0.0.0.0/0
9    ACCEPT     all  --  192.168.0.114        0.0.0.0/0
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:903    what is this?
11   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination


thank you experts....

regards,
0
Comment
Question by:epifanio67
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 250 total points
ID: 35143389
6: Accept all packets (tcp, udp) from any IP address to any IP address, no protocol or port specified (restricted)
7: Accept  all packets from IP address 192.168.0.1 to any destination IP address.
8: Same as 7 but the source IP address  is different.
9: Same as previous 2 with different source IP address.
10: Accept only TCP packets from any IP to any IP address with one condition that the target (destination) port number in the packets should be 903
0
 

Author Comment

by:epifanio67
ID: 35147064
thank you Farzani,

So, is #6 a hole in the system?

where, in my rules above, did I do that?

thanks so much for all of your help...

Regards,
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 250 total points
ID: 35147099
Instead of "/sbin/service iptables status" try running "/sbin/iptables -L -nv". It will give you more details about the rule (out/in interface restriction).

Your script adds rule by rule so in the output you can match a rule exactly to a command you issued in the script.
So for rule #6 you can see that the rule is:
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
This accepts all local loopback traffic which is OK.

And rule #10 is:
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?
I have no idea why you have this enabled, however you should have - it could by for VMWare Client console for example or some other things.
0
 

Author Closing Comment

by:epifanio67
ID: 35147829
got it.. thank you experts...

I will disable 903... will see what happens...

thanks again...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question