|
Next: Ghost or Virtualisation ?
|
| Author |
Message |
External
Since: Dec 11, 2008
Posts: 3
|
(Msg. 1) Posted: Thu Dec 11, 2008 11:24 am
Post subject: iptables question
Archived from groups: linux>redhat (more info?)
|
|
|
I tried to configure IPTABLES myself with near disaster. Here's what I want
to allow:
www(80), SSL/www(443), SSH(22), SMTP and POP mail, and whatever ports I need
for WinSCP.
I found the below as a start:
# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT
Does that look like it does most of what I need? The "www,ssh,smtp" in line
3 above confuse me because I am more familiar with ports. What else do I
need to add to achieve my above objectives and secure the server?
Currently, when I do , I get (which is bad):
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:telnet
reje
ct-with icmp-port-unreachable
Many thanks! |
|
| Back to top |
|
 | |
External
Since: Aug 02, 2005
Posts: 134
|
(Msg. 2) Posted: Thu Dec 11, 2008 11:03 pm
Post subject: Re: iptables question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
newnie schreef:
> I tried to configure IPTABLES myself with near disaster. Here's what I want
> to allow:
>
> www(80), SSL/www(443), SSH(22), SMTP and POP mail, and whatever ports I need
> for WinSCP.
>
> I found the below as a start:
> # iptables -F INPUT
> # iptables -A INPUT -i lo -j ACCEPT
> # iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT
> # iptables -A INPUT -j LOG -m limit
> # iptables -A INPUT -j REJECT
>
> Does that look like it does most of what I need? The "www,ssh,smtp" in line
> 3 above confuse me because I am more familiar with ports. What else do I
> need to add to achieve my above objectives and secure the server?
>
> Currently, when I do , I get (which is bad):
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp dpt:telnet
> reje
> ct-with icmp-port-unreachable
>
> Many thanks!
>
>
Newnie,
Why not use system-config-securitylevel?
It will create an example /etc/sysconfig/iptables file for you, after
you do a service iptables save.
Kind regards,
Jan Gerrit Kootstra |
|
| Back to top |
|
| |
External
Since: Dec 11, 2008
Posts: 3
|
(Msg. 3) Posted: Thu Dec 11, 2008 11:03 pm
Post subject: Re: iptables question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Jan Gerrit Kootstra" <jan.gerrit RemoveThis @kootstra.org.uk> wrote in message
news:e926c$49418e32$d55d2be5$14444@news.chello.nl...
> newnie schreef:
>> I tried to configure IPTABLES myself with near disaster. Here's what I
>> want to allow:
>>
>> www(80), SSL/www(443), SSH(22), SMTP and POP mail, and whatever ports I
>> need for WinSCP.
>>
>> I found the below as a start:
>> # iptables -F INPUT
>> # iptables -A INPUT -i lo -j ACCEPT
>> # iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT
>> # iptables -A INPUT -j LOG -m limit
>> # iptables -A INPUT -j REJECT
>>
>> Does that look like it does most of what I need? The "www,ssh,smtp" in
>> line 3 above confuse me because I am more familiar with ports. What else
>> do I need to add to achieve my above objectives and secure the server?
>>
>> Currently, when I do , I get (which is bad):
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> REJECT tcp -- anywhere anywhere tcp
>> dpt:telnet reje
>> ct-with icmp-port-unreachable
>>
>> Many thanks!
> Newnie,
>
>
> Why not use system-config-securitylevel?
> It will create an example /etc/sysconfig/iptables file for you, after you
> do a service iptables save.
>
>
> Kind regards,
>
>
> Jan Gerrit Kootstra
How do I do that? |
|
| Back to top |
|
| |
External
Since: Aug 02, 2005
Posts: 134
|
(Msg. 4) Posted: Thu Dec 11, 2008 11:42 pm
Post subject: Re: iptables question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
newnie schreef:
> "Jan Gerrit Kootstra" <jan.gerrit DeleteThis @kootstra.org.uk> wrote in message
> news:e926c$49418e32$d55d2be5$14444@news.chello.nl...
>> newnie schreef:
>>> I tried to configure IPTABLES myself with near disaster. Here's what I
>>> want to allow:
>>>
>>> www(80), SSL/www(443), SSH(22), SMTP and POP mail, and whatever ports I
>>> need for WinSCP.
>>>
>>> I found the below as a start:
>>> # iptables -F INPUT
>>> # iptables -A INPUT -i lo -j ACCEPT
>>> # iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT
>>> # iptables -A INPUT -j LOG -m limit
>>> # iptables -A INPUT -j REJECT
>>>
>>> Does that look like it does most of what I need? The "www,ssh,smtp" in
>>> line 3 above confuse me because I am more familiar with ports. What else
>>> do I need to add to achieve my above objectives and secure the server?
>>>
>>> Currently, when I do , I get (which is bad):
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>> REJECT tcp -- anywhere anywhere tcp
>>> dpt:telnet reje
>>> ct-with icmp-port-unreachable
>>>
>>> Many thanks!
>> Newnie,
>>
>>
>> Why not use system-config-securitylevel?
>> It will create an example /etc/sysconfig/iptables file for you, after you
>> do a service iptables save.
>>
>>
>> Kind regards,
>>
>>
>> Jan Gerrit Kootstra
>
> How do I do that?
>
>
it is a gui or a tui, you can start it from a console or a terminal.
in the gui use the firewall tab
in the tui use change (i think), I run a localized RHEL 5.2 so do not
know what the english button is.
Kind regards,
Jan Gerrit Kootstra |
|
| Back to top |
|
| |
External
Since: Dec 11, 2008
Posts: 3
|
(Msg. 5) Posted: Mon Dec 15, 2008 12:03 pm
Post subject: Re: iptables question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I use it through command line, not a gui |
|
| Back to top |
|
| |
External
Since: Aug 02, 2005
Posts: 134
|
(Msg. 6) Posted: Mon Dec 15, 2008 6:36 pm
Post subject: Re: iptables question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
newnie schreef:
> I use it through command line, not a gui
>
>
Newnie,
The system-config-securitylevel tui is what you start when you call
system-config-securitylevel from a commandline without X-windows.
system-config-securitylevel will start the gui if it can find a
X-Windows environment.
I just used it to give you an example on a test server.
The resulting /etc/sysconfig/iptables looks like this:
# Generated by iptables-save v1.3.5 on Mon Dec 15 18:30:41 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [421388:161252296]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Dec 15 18:30:41 2008
Kind regards,
Jan Gerrit Kootstra |
|
| Back to top |
|
| |
External
Since: Dec 21, 2008
Posts: 1
|
(Msg. 7) Posted: Sun Dec 21, 2008 5:20 pm
Post subject: Re: iptables question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Dear newnie,
newnie wrote:
> I tried to configure IPTABLES myself with near disaster. Here's what I
> want to allow:
>
> www(80), SSL/www(443), SSH(22), SMTP and POP mail, and whatever ports I
> need for WinSCP.
>
> I found the below as a start:
> # iptables -F INPUT
> # iptables -A INPUT -i lo -j ACCEPT
> # iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT
> # iptables -A INPUT -j LOG -m limit
> # iptables -A INPUT -j REJECT
>
> Does that look like it does most of what I need? The "www,ssh,smtp" in
> line
> 3 above confuse me because I am more familiar with ports. What else do I
> need to add to achieve my above objectives and secure the server?
>
> Currently, when I do , I get (which is bad):
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp
> dpt:telnet reje
> ct-with icmp-port-unreachable
>
> Many thanks!
I do not see that much problems with your commands,
apart from the question whether it makes sense to log all rubbish
which reaches your machine before rejecting it...
After the commands:
-----------------------------
/sbin/iptables -F INPUT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m multiport -p tcp --dport http,https,pop3,ssh,smtp
-j ACCEPT
/sbin/iptables -A INPUT -j LOG -m limit
/sbin/iptables -A INPUT -j REJECT
-------------------------------
/sbin/iptables -L gives:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere multiport
dports http,https,pop3,ssh,smtp
LOG all -- anywhere anywhere limit: avg
3/hour burst 5 LOG level warning
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
The port names are translated to port numbers by the file
/etc/services, so "http" and "www" are the same as 80.
My system: Fedora 10
Addendum: I broke my own system with those commands:
you need to add the line:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
if you want to reach servers FROM the host running the iptables, otherwise
replies from those servers will be rejected.
Good luck and kind Regards,
H.Janssen |
|
| Back to top |
|
| |
| Related Topics: | question - is there anyway i can read my ie email in redhat? greg
Newbie question... - Hi! I am new to Linux, but have decided to use Fedora. I have a lot of folders and files saved on CD (*.avi, *.mpg and *.mp3 etc) and wonder if I will be able to see and use them when I have installed Linux? I also have a lot of stuff on my second..
Distro question - Hi! Just wanted to see if anyone had any thoughts on offshoot RedHat distros. I'm looking to build a small server network, and want to make sure that it can be kept updated in the future. CentOS looks like a good RHEL4 clone, but I'd be concerned..
Prompt Question - In the process of learning, I am attempting to change my terminal prompt. According to both my book (Red Hat Fedora and Enterprise Linux 4 Bible) and "man bash", \$ is supposed to show # or $ depending on who you are. This isn't working. ...
repomd question - Suddenly both my linux servers are giving me this message after attempting up2date: "up2date Unable to import repomd support so repomd support will not be available" 1 server appears to have updated no packages and the other a few. Can anyon... |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
Hot
Bloated Email? DetachPipe for Outlook
Mac
Linux
Games
PDA
Mobile
FAQ
Search
Profile
Private Messages
Log in
Linux Forums
RSS