Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Iptables Syntax
thekat
 Posted: Jun 30 2011, 07:39 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 19
Member No.: 35
Joined: 11-April 11









I am finally getting back to my
spacewalk server
and have run into an issue with IPtables..

Per the Spacewalk Oracle installation this is the code you use for IpTables..

CODE

Configuring the firewall

Spacewalk needs different inbound ports to be connectible. Assuming you have a default RHEL/CentOS set up, proceed as following:

For RHEL6/Scientific6

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
service iptables save
service iptables restart


When I apply this code.. I get the following error:
CODE

iptables: No chain/target/match by that name.
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

and I get locked out of the box...

I can disable the firewall via the console and get back in but in the case of SpaceWalk .. Oracle
has "way too many" vulnerabilities per our scanning SW.. so I need to use a
host based FW..

Here is the default iptables config for SL 6
CODE

Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



Thx for any assistance..
tk
PM
^
thekat
 Posted: Jun 30 2011, 08:49 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 19
Member No.: 35
Joined: 11-April 11









Ok.. I got it..

CODE

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I manually put in the rules above port 22

tk
PM
^
helikaon
 Posted: Jul 1 2011, 08:19 AM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 619
Member No.: 4
Joined: 8-April 11









Exactly :-)

anyway, if you need to do any more serious work with iptables, best is to make a runable shell script.

this is e.g. on my laptop:
CODE


#!/bin/bash

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset


at beginning all iptables rules get erased, then default policies are set, then rules are set
If i need to add anything, i add it to this script, run and run it.
Then, if i'm happy with what i have i just 'service iptables save', if i'm not happy, 'service iptables restore' to get back original setting (or correct script and run it again).

cheers,


--------------------
PMEmail Poster
^
thekat
 Posted: Jul 1 2011, 12:45 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 19
Member No.: 35
Joined: 11-April 11









QUOTE (helikaon @ Jul 1 2011, 08:19 AM)
Exactly :-)

anyway, if you need to do any more serious work with iptables, best is to make a runable shell script.

this is e.g. on my laptop:
CODE


#!/bin/bash

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset


at beginning all iptables rules get erased, then default policies are set, then rules are set
If i need to add anything, i add it to this script, run and run it.
Then, if i'm happy with what i have i just 'service iptables save', if i'm not happy, 'service iptables restore' to get back original setting (or correct script and run it again).

cheers,


Thx for the pointer.. the restore part will help..
Oracle has a LOT of vulnerabilities so have to use a firewall "protect" it.. smile.gif

PM
^
helikaon
 Posted: Jul 1 2011, 01:05 PM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 619
Member No.: 4
Joined: 8-April 11









QUOTE (thekat @ Jul 1 2011, 12:45 PM)


Oracle has a LOT of vulnerabilities ....

Indeed biggrin.gif
I'd add, it likes to 'wolf down' resources too smile.gif

cheers,


--------------------
PMEmail Poster
^
satnn
 Posted: Nov 18 2011, 08:55 PM
Quote Post


SLF Junior
**

Group: Members
Posts: 30
Member No.: 1028
Joined: 13-November 11









Thank you for the great suggestion. It worth browsing around smile.gif.


QUOTE (helikaon @ Jul 1 2011, 03:19 AM)
Exactly :-)

anyway, if you need to do any more serious work with iptables, best is to make a runable shell script.

this is e.g. on my laptop:
CODE


#!/bin/bash

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset


at beginning all iptables rules get erased, then default policies are set, then rules are set
If i need to add anything, i add it to this script, run and run it.
Then, if i'm happy with what i have i just 'service iptables save', if i'm not happy, 'service iptables restore' to get back original setting (or correct script and run it again).

cheers,

PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll