[CentOS] A little iptables help
James Pifer
jep at obrien-pifer.com
Thu Sep 29 03:31:25 UTC 2005
> Well, James, you are missing quite a lot here. First of all, default
> policy is
> set to ACCEPT, so everything goes through as if there were no firewall
> rules at
> all. Secondly, the examples people sent you implied you already had
> some other
> firewall rules needed for them to work (most of them don't work on their own).
>
> I'll attach sample /etc/sysconfig/iptables file with some comments you can use
> to play with. It something I just typed for you, so might contain a type or
> two. It's good starting point for building your own firewall rules.
>
> The configuration style is total overkill for your simple problem, however if
> your configuration becomes complex with hundreds or thousands of rules, it'll
> pay off to do it this way from the beggining.
>
> You might want to deinstall system-config-securitylevel and
> system-config-securitylevel-tui since they will blindly rewrite this
> file. You
> might also want to remove any other GUI tool for managing firewall
> rules, since
> it will either overwrite this file, or it will use its own scripts to replace
> the rules with whatever that GUI tool thinks configuration should look
> like. Also, if you use "/etc/init.d/iptables save" (as some folks
> suggested), it will
> also overwrite this file with whatever are currently loaded rules
> (you'll loose
> all those nice comments I put in for you, and nice looking ordering of them
> too). To load the file, you might do "/etc/init.d/iptables start". Once the
> rules are up and running, and you change something in the file, don't use
> iptables script to reload new version. Use "iptables-restore
> /etc/sysconfig/iptables". Or your current sessions might hung ;-)
>
> OK, there's the file in attachment.
>
Aleksandar,
Wow, this is excellent. I read through it all and commented out the 8000
stuff for the moment. I totally agree with doing it right from the
start.
That being said it loaded fine. I can still ssh and hit http. The only
problem is that the VNC forward stuff still doesn't work. Here's what it
looks like applied.
#iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT icmp -- anywhere anywhere state
RELATED
SSH_INP tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:ssh flags:SYN,RST,ACK/SYN state NEW
HTTP_INP tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:http flags:SYN,RST,ACK/SYN state NEW
LOG_INP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT icmp -- anywhere anywhere state
RELATED
VNC_FWD tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:5900 flags:SYN,RST,ACK/SYN state NEW
LOG_FWD all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
ESTABLISHED
ACCEPT icmp -- anywhere anywhere state
RELATED
LOG_OUT all -- anywhere anywhere
Chain HTTP_INP (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain LOG_FWD (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `FORWARD '
RETURN all -- anywhere anywhere
Chain LOG_INP (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `INPUT '
RETURN all -- anywhere anywhere
Chain LOG_OUT (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `OUTPUT '
RETURN all -- anywhere anywhere
Chain SSH_INP (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain VNC_FWD (1 references)
target prot opt source destination
ACCEPT all -- 192.168.192.24 10.10.60.4
RETURN all -- anywhere anywhere
If I do an nmap scan all it returns is port 22 and port 80. Since it's
port forwarded, should port 5900 show up as well? I'm doing the scan
from 192.168.192.24.
I don't really understand the logging part. Is there a way I can turn on
some logging to see the VNC requests coming in and see what it's doing
with them?
Thanks for everything!
James
More information about the CentOS
mailing list