Derek,
I am in need of your expertise once again. I was sucessful in setting up
the iptables rules to load at a startup using the built-in RH iptables
scripts. Basically, i deleted the /etc/sysconfig/ipchains config file
and made a iptables config file. Then I removed any link to ipchains
startup script from the rc* folders. Ok, here is the weird thing, I did
what you said about logging the dest ports that i needed to have and
have added them to the parsable config file. However, it doesnt like the
systax and thus opens all my ports. UGH!
Here is what is in /etc/sysconfig/iptables
*filter
# By default, i drop all
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# I allow for local loopback traffic
-A INPUT -j ACCEPT -i lo
-A INPUT -j ACCEPT -i eth0 -m state --state RELATED,ESTABLISHED
# once again allow loopback
-A OUTPUT -j ACCEPT -o lo
# these allow various services that i need, some work some dont note
that i got these from the log file and i tried aliasing with the ports
listed in /etc/services to make readable
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport ftp
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport smtp
-A OUTPUT -j ACCEPT -o eth0 -p udp --dport domain
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport http
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport pop3
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport nntp
-A OUTPUT -j ACCEPT -o eth0 -p udp --dport 4000
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport ircd
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport 8875
-A OUTPUT -j ACCEPT -o eth0 -p tcp --dport 9898
-A OUTPUT -j ACCEPT -o eth0 -p udp --dport 27950
-A OUTPUT -j LOG -o eth0
# for some reason it didnt like the string... "OUTPUT DROP: " the error
said that DROP: was invalid?!?
COMMIT
What am i doing wrong here? is this just a bug with iptables or just
undocumented syntax?
Thanks again for your time,
Travis
Derek Glidden wrote:
> Travis Walls wrote:
>
>> Derek,
>>
>> Thank you very much for your tips. I now realize how difficult making a
>> secure firewall really is. I stayed up till about 1 am writing ipchain
>> rules. I had about 94 when i was done. Like you said tho, its still not
>> really usable as a internet workstation. So Im going to try to find out
>> how to make iptables my default filtering software. (i.e. remove
>> ipchains config file and make iptables config file) i will then try the
>> tedious process of logging blocked services and opening up those that
>> are needed. time to learn from the iptables man page...
>>
>> Thanks so much for your time,
>
>
> No worries. IPtables *should* be in the 2.4 kernel that RedHat 7.1 uses
> so there shouldn't be any magic in making the system work with iptables
> over ipchains, other than maybe installing the iptables toolchain.
>
> The 'iptables' tool command-line syntax is very similar to 'ipchains',
> but there are a few extra options and some things like the "-l" option
> in ipchains to log anything that a rule does have been replaced with
> extra targets like the "LOG" target, which makes iptables more powerful
> and flexible, but will also make your rulesets larger.
>
> Unfortunately, none of the documentation I've ever found for
> ipchains/iptables is too terribly easy to understand. Probably because
> the packages themselves and concepts behind them are not entirely easy
> to deal with.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:52:11 EDT