Solved

Centos5.3: iptables: help understanding config...

Posted on 2011-03-15
4
487 Views
Last Modified: 2012-05-11
hello experts,

Here is my iptables config script:

------------------
[root@config confserv]# cat /SCRIPTS/myfirewall.sh
#!/bin/bash
#
# iptables configuration script
#
# flush all existing rules
/sbin/iptables -F

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT     #ssh
/sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT    #samba
/sbin/iptables -A INPUT -p tcp --dport 2020 -j ACCEPT   #confserv
/sbin/iptables -A INPUT -p tcp --dport 2021 -j ACCEPT   #confserv mgmt
/sbin/iptables -A INPUT -p tcp --dport 4999 -j ACCEPT   #lca
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
/sbin/iptables -A INPUT -s 192.168.0.1 -j ACCEPT        #ESXi host
/sbin/iptables -A INPUT -s 192.168.0.120 -j ACCEPT      #laptop
/sbin/iptables -A INPUT -s 192.168.0.114 -j ACCEPT      #oracle
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?


/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/service iptables save

/sbin/iptables -L -v
--------------------------------

My question is what are chain #6 and 10?:

[root@config confserv]# /sbin/service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:901
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2020
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2021
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:4999
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                            what is this?
7    ACCEPT     all  --  192.168.0.1          0.0.0.0/0
8    ACCEPT     all  --  192.168.0.120        0.0.0.0/0
9    ACCEPT     all  --  192.168.0.114        0.0.0.0/0
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:903    what is this?
11   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination


thank you experts....

regards,
0
Comment
Question by:epifanio67
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 250 total points
ID: 35143389
6: Accept all packets (tcp, udp) from any IP address to any IP address, no protocol or port specified (restricted)
7: Accept  all packets from IP address 192.168.0.1 to any destination IP address.
8: Same as 7 but the source IP address  is different.
9: Same as previous 2 with different source IP address.
10: Accept only TCP packets from any IP to any IP address with one condition that the target (destination) port number in the packets should be 903
0
 

Author Comment

by:epifanio67
ID: 35147064
thank you Farzani,

So, is #6 a hole in the system?

where, in my rules above, did I do that?

thanks so much for all of your help...

Regards,
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 250 total points
ID: 35147099
Instead of "/sbin/service iptables status" try running "/sbin/iptables -L -nv". It will give you more details about the rule (out/in interface restriction).

Your script adds rule by rule so in the output you can match a rule exactly to a command you issued in the script.
So for rule #6 you can see that the rule is:
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
This accepts all local loopback traffic which is OK.

And rule #10 is:
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?
I have no idea why you have this enabled, however you should have - it could by for VMWare Client console for example or some other things.
0
 

Author Closing Comment

by:epifanio67
ID: 35147829
got it.. thank you experts...

I will disable 903... will see what happens...

thanks again...
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question