[CentOS] Inquiry:iptables ?

Negative negativebinomial at gmail.com
Mon Nov 2 16:58:37 UTC 2009


On Mon, Nov 2, 2009 at 10:57 AM, ken <gebser at mousecar.com> wrote:

> On 11/02/2009 09:36 AM Rob Kampen wrote:
> > ken wrote:
> >> On 10/31/2009 04:10 AM Tony Molloy wrote:
> >>
> >>> On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
> >>>
> >>>> Dear All
> >>>> To open a port , I know that I need to go to "System ->
> >>>> Administration ->
> >>>> Security Level and Firewall" -> Other ports and then I can open
> >>>> port-5901
> >>>> as tcp protocol . Can you please do me favor and let me know how it
> >>>> can be
> >>>> done from the command line (if my CentOS is text-mode installed) ?
> >>>> (perhaps
> >>>> via iptables?)
> >>>> Let me thank you in advance
> >>>>
> >>> Edit /etc/sysconfig/iptables
> >>>
> >>> Restart iptables with service iptables restart
> >>>
> >>> Tony
> >>>
> >>
> >> My /etc/sysconfig/iptables states at the top that editing of it is not
> >> recommended.  Yeah, I don't always follow such recommendations myself,
> >> but is there perhaps another way more in keeping with the sense of the
> >> application?
> >>
> > Yeah, editing directly can be risky, nothing worse than making a change
> > only to find that access to your server just disappeared and you need to
> > get in front of it to reset via the console....
> > I use webmin for most of my edits, only make it accessible from the LAN
> > and not the WAN. You can always tunnel the :10000 port via ssh and
> > access securely from a remote location.
> > The webmin console is left open while I test, thus I have not yet
> > tripped up on this though I can imagine it is not fool proof.
> > HTH
> > Rob
>
> Rob,
>
> Sounds like you've thought through the process and have a well-planned
> strategy for failure-prevention.  Cool.
>
> I checked my port 10000 (ssh -p 10000 ...) and found it not available
> ("Connection refused").  So in what sense, or how, can I always tunnel it?
>
> tnx.
>

 You can use iptables to insert and delete rules in the running instance,
and after testing you can save the new set up.

The syntax is:

iptables -I  $TABLE_NAME $POS -s $SRC_IPS -m state --state NEW -p tcp
--dport 5901 -j ACCEPT

The default TABLE_NAME is "RH-Firewall-1-INPUT" for CentOS

You can figure out the POS you want by running

iptables -L
which dumps the rules on the screen

The SRC_IPS are the machine(s) you want to grant access to.

If you mess up, you can just restart iptables and you'll be back to where
you were. These changes are not permanent. If you're working remotely, you
can set up a cron job to restart iptables at some sensible interval so you
won't be locked out until you have physical access to the machine.

Once you're satisfied the new rules are working right, you can use the
iptables script in /etc/init.d to save the new config.  And don't forget to
get rid of the cron job above.

Take a look at iptables-restore and iptables-save, too.

Barry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20091102/c84392b3/attachment.html 


More information about the CentOS mailing list