[TriLUG] Iptables confusion

lfwelty at nc.rr.com lfwelty at nc.rr.com
Fri May 2 14:18:38 EDT 2003


The file /etc/sysconfig/iptables is a static file that is only updated
when you save changes to iptables (service iptables save). To really see
what your firewall rules are you need to ask iptables (iptables -nL).

I suspect your running ruleset may have been slightly different from the
initial /etc/sysconfig/iptables you display below. A few other services
modify iptables' rules (ntp for one, DNS servers are punched a hole also
-- but I don't remember what punches the hole offhand).

To verify your ruleset on reboot, I would reboot and check iptables
running config after returning from reboot. Then modify iptables rules
using iptables. And save the config using 'service iptables save' to
conserve the changes.

- my opinion - trusted devices makes me nervous. If you only have one
subnet accessing the fw I would explicitly allow only that subnet, denying
everything else and remove the trusted eth0 rule:
iptables -I 10 RH-Lokkit-0-50-INPUT -s 10.2.2.0/28 -j ACCEPT

If you know which ports you need open, you can be even more specific than
the rule above and only explicitly allow known ports/services. It's almost
always better to grant access to known allowed services denying everything
else; than to deny known bad svcs allowing everything else.

F.

Joseph Tate wrote:
> Jeremy Portzer requested that I post this to the list.  Discuss.
> 
> I've got a server with two ethernet ports.  (Yes, it's a real server.  
> Dual Xeon 2.0Ghz with RAID 5 on PERC 3 SCSI...... ;P ).  I used Lokkit 
> to set up iptables with eth0 trusted.  The /etc/sysconfig/iptables file 
> that was generated is as follows:
> 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A FORWARD -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 993 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 995 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 389 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 636 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 123   -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
> 
> With this conflagration, NFS mounts from other machines were failing at 
> bootup.
> 
> When I went in and added -s ! 10.2.2.0/28 to the first four REJECT lines 
> like so:
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A FORWARD -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 993 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 995 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 389 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 636 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 123   -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -s ! 10.2.2.0/28 -p tcp -m tcp --dport 0:1023 
> --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -s ! 10.2.2.0/28 -p tcp -m tcp --dport 2049 
> --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -s ! 10.2.2.0/28 -p udp -m udp --dport 0:1023 -j 
> REJECT
> -A RH-Lokkit-0-50-INPUT -s ! 10.2.2.0/28 -p udp -m udp --dport 2049 -j 
> REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
> 
> The clients booted just fine.
> 
> I reran lokkit to reset my rules, so my /etc/sysconfig/iptables looks 
> like this:
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A FORWARD -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 993 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 995 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 123   -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 389 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 636 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
> 
> Clients boot just fine again.  I'm so confused.
> 
> _______________________________________________
> TriLUG mailing list
>    http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>    http://www.trilug.org/faq/TriLUG-faq.html
> 

-- 
-----------------------------------------------------------------
  lfwelty at nc.rr.com: Earth is a beta site, I just wish that damn
                     pink elephant would give me my mouse back.
-----------------------------------------------------------------





More information about the TriLUG mailing list