Hi,
I remember back in the days, there was a neat trick to recover a lost root password, or more exactly, redefine a new password for root.
1. In the bootloader, boot the system with the 'init=/bin/bash' kernel argument.
2. Remount the root partition in read-write mode:
# mount -o remount,rw /
3. Set the password for root:
# passwd
4. Remount the root partition in read-only mode:
# mount -o remount,ro /
5. Switch off the computer.
I tried this out of curiosity on a CentOS 7 sandbox machine, and this doesn't seem to work anymore. I can boot to a 'bash' console and set the password OK. But this password doesn't seem to work on the subsequent normal boot.
Anybody knows why this is so?
Cheers,
Niki
On Wed, May 30, 2018 at 07:54:34AM +0200, Nicolas Kovacs wrote:
I tried this out of curiosity on a CentOS 7 sandbox machine, and this doesn't seem to work anymore. I can boot to a 'bash' console and set the password OK. But this password doesn't seem to work on the subsequent normal boot.
Anybody knows why this is so?
Most likely you didn't relabel the filesystem. Please take a look at https://wiki.centos.org/TipsAndTricks/ResetRootPassword - bottom of the page and the link to access.redhat.com's writeup.
John
Le 30/05/2018 à 08:16, John R. Dennison a écrit :
Most likely you didn't relabel the filesystem.
Indeed. Adding 'touch /.autorelabel' did the trick.
Cheers,
Niki
Hello, I hope that I can ask some questions on this mailing list about IPTables. I am more familiar with IPTABLES instead of FIREWALLD. I disabled FIREWALLD and installed iptables-services. I have put together a script that I found on the web on how to set up a good set of IPTABLES rules to keep my server as secure as possible. I have two NICs. ETH0 and ETH1. ETHO is the internet and ETH1 is my internal network. I want to allow all ports from internal to external. I want to block pretty much all ports from the outside to the inside except from specific IP addresses. I also want to allow UDP ports 10000-20000 from anywhere all other ports are only allowed from specific IP addresses. Here is my script, if you don't mind could you make any corrections on what I should do or not do in my example? Perhaps the order in which I run my script. I have attached the full script with the comments for what I am trying to do. Please look at it and help me if you would, please. I am interested in the order that I have my rules (any suggestions or changes you would make if you were trying to use it) also, the items that I have included. There are a few IP addreses (mine) that I am allowing all opens incoming/outgoing. Otherwise only specific ports are allowed for specific IP addresses. TIA. Steve
#!/bin/bash ######################################################################################################################## Exterior (Internet) Ethernet 0#######################################################################################################################EXIF="eth0" ######################################################################################################################## Interior (My network) Ethernet 1#######################################################################################################################IXIF="eth1"
######################################################################################################################## 1. Delete all existing rules#######################################################################################################################iptables -F ######################################################################################################################## 2. Set default chain policies#######################################################################################################################iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP ######################################################################################################################## 3. Block a specific ip-address########################################################################################################################BLOCK_THIS_IP="x.x.x.x"########################################################################################################################iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
######################################################################################################################## 4. Allow ALL incoming SSH########################################################################################################################iptables -A INPUT -i $EXIF -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 5. Allow incoming SSH only from a specific network########################################################################################################################iptables -A INPUT -i $EXIF -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 6. Allow incoming HTTP########################################################################################################################iptables -A INPUT -i $EXIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # Allow incoming HTTPS#iptables -A INPUT -i $EXIF -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)########################################################################################################################iptables -A INPUT -i $EXIF -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 8. Allow outgoing SSH########################################################################################################################iptables -A OUTPUT -o $EXIF -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A INPUT -i $EXIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 9. Allow outgoing SSH only to a specific network########################################################################################################################iptables -A OUTPUT -o $EXIF -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A INPUT -i $EXIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 10. Allow outgoing HTTPS########################################################################################################################iptables -A OUTPUT -o $EXIF -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A INPUT -i $EXIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 11. Load balance incoming HTTPS traffic########################################################################################################################iptables -A PREROUTING -i $EXIF -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443#iptables -A PREROUTING -i $EXIF -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443#iptables -A PREROUTING -i $EXIF -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443 ######################################################################################################################## 12. Ping from inside to outside#######################################################################################################################iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ######################################################################################################################## 13. Ping from outside to inside#######################################################################################################################iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT ######################################################################################################################## 14. Allow loopback access#######################################################################################################################iptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT ######################################################################################################################## 15. Allow packets from internal network to reach external network.######################################################################################################################## if $EXIF is connected to external network (internet)# if $IXIF is connected to internal network (192.168.20.0/23)iptables -A FORWARD -i $IXIF -o $EXIF -j ACCEPT
######################################################################################################################## 15a. Masqurading####################################################################################################################### iptables -t nat -A POSTROUTING -o $EXIF -j MASQUERADEiptables -A FORWARD -i $EXIF -o $IXIF -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A FORWARD -i $IXIF -o $EXIF -j ACCEPT
######################################################################################################################## 16. Allow outbound DNS########################################################################################################################iptables -A OUTPUT -p udp -o $EXIF --dport 53 -j ACCEPT#iptables -A INPUT -p udp -i $EXIF --sport 53 -j ACCEPT ######################################################################################################################## 17. Allow Voip Connections#########################################################################################################################specific provider abc company# iptables -A INPUT -i $EXIF -s myvoipprovider1 -p udp -m udp --dport 5060 -j ACCEPTiptables -A INPUT -i $EXIF -s myvoipprovider2 -p udp -m udp --dport 5060 -j ACCEPT ########################################################################################################################### 17a. Allow Full Access from my outside IPs########################################################################################################################allow connections from my machines full access#iptables -A INPUT -i $EXIF -s myips -j ACCEPTiptables -A INPUT -i $EXIF -s myips -j ACCEPTiptables -A INPUT -i $EXIF -s myips -j ACCEPT######################################################################################################################### 17b. Allow Full Access from my inside IPs#######################################################################################################################iptables -A INPUT -i $IXIF -s 192.168.20.0/23 -j ACCEPT ######################################################################################################################### 18. Allow rsync from a specific network########################################################################################################################iptables -A INPUT -i $EXIF -p tcp -s specificip --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 19. Allow MySQL connection only from a specific network########################################################################################################################iptables -A INPUT -i $EXIF -p tcp -s specificip --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 20. Allow Sendmail or Postfix########################################################################################################################iptables -A INPUT -i $EXIF -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 21. Allow IMAP and IMAPS########################################################################################################################iptables -A INPUT -i $EXIF -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT #iptables -A INPUT -i $EXIF -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 22. Allow POP3 and POP3S########################################################################################################################iptables -A INPUT -i $EXIF -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT #iptables -A INPUT -i $EXIF -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 23. Prevent DoS attackiptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT####################################################################################################################### ######################################################################################################################## 24. Port forwarding 422 to 22########################################################################################################################iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22#iptables -A INPUT -i $EXIF -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT#iptables -A OUTPUT -o $EXIF -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT ######################################################################################################################## 25. Log dropped packets#######################################################################################################################iptables -N LOGGINGiptables -A INPUT -j LOGGINGiptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7iptables -A LOGGING -j DROP
Le 01/06/2018 à 14:01, Steve Frazier a écrit :
I hope that I can ask some questions on this mailing list about IPTables.
1. Avoid replying to existing threads only to start a new thread.
2. Try to provide some very basic formatting. Like line breaks.
3. This being said, here's my own article about iptables vs. firewalld:
https://blog.microlinux.fr/iptables/
Cheers,
Niki
Steve Frazier wrote:
Hello, I hope that I can ask some questions on this mailing list about IPTables. I am more familiar with IPTABLES instead of FIREWALLD. I disabled FIREWALLD and installed iptables-services. I have put together a script that I found on the web on how to set up a good set of IPTABLES rules to keep my server as secure as possible.
<snip> That's *extremely* hard to read, esp. given that the numbered commands would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
mark
Thank you. I apologize for sending something that could be read. There are more examples in there that I had commented out. Anyway, here is my working iptables-save. If someone could review my output and let me know if I am missing anything and if the order of the rules are the most secure they could be. TIA.
Steve
# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun 1 10:34:39 2018~~
Steve
On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth@5-cent.us m.roth@5-cent.us wrote:
Steve Frazier wrote:
Hello, I hope that I can ask some questions on this mailing list about IPTables. I am more familiar with IPTABLES instead of FIREWALLD. I disabled FIREWALLD and installed iptables-services. I have put together a script that I found on the web on how to set up a good set of IPTABLES rules to keep my server as secure as possible.
<snip> That's *extremely* hard to read, esp. given that the numbered commands would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
mark
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Steve Frazier wrote:
Thank you. I apologize for sending something that could be read. There are more examples in there that I had commented out. Anyway, here is my working iptables-save. If someone could review my output and let me know if I am missing anything and if the order of the rules are the most secure they could be. TIA.
Steve,
Do you have any idea of what you're writing? Why are you emailing - this *is* an email list - with run-on lines? I mean, really, can you read what you sent, below?
mark
Steve
# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun 1 10:34:39 2018~~
Steve
On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth@5-cent.usm.roth@5-cent.us wrote:
Steve Frazier wrote:
Hello, I hope that I can ask some questions on this mailing list about IPTables. I am more familiar with IPTABLES instead of FIREWALLD. I disabled FIREWALLD and installed iptables-services. I have put together a script that I found on the web on how to set up a good set of IPTABLES rules to keep my server as secure as possible.
<snip> That's *extremely* hard to read, esp. given that the numbered commands would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
mark
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I assumed this was a Centos 7 mailing list and I was looking for help with IPTABLEs.I have used mailing lists before. Copying a file to an email address didn't have that type of output. I apologize. First of all is this a Centos 7 Mailing list that I can ask for help or have I made a huge mistake? IF so, should I just attach the file to the email. I apologize for the output, I had no idea. That's not the way it looked when I sent it. I am sorry. I am just looking for some help with IPTABLES on Centos 7. Please let me know and I won't send any more questions if I am not sending to the right list for help and not the right way.
On Friday, June 1, 2018, 11:16:33 AM EDT, m.roth@5-cent.us m.roth@5-cent.us wrote:
Steve Frazier wrote:
Thank you. I apologize for sending something that could be read. There are more examples in there that I had commented out. Anyway, here is my working iptables-save. If someone could review my output and let me know if I am missing anything and if the order of the rules are the most secure they could be. TIA.
Steve,
Do you have any idea of what you're writing? Why are you emailing - this *is* an email list - with run-on lines? I mean, really, can you read what you sent, below?
mark
Steve
# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun 1 10:34:39 2018~~
Steve
On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth@5-cent.us m.roth@5-cent.us wrote:
Steve Frazier wrote:
Hello, I hope that I can ask some questions on this mailing list about IPTables. I am more familiar with IPTABLES instead of FIREWALLD. I disabled FIREWALLD and installed iptables-services. I have put together a script that I found on the web on how to set up a good set of IPTABLES rules to keep my server as secure as possible.
<snip> That's *extremely* hard to read, esp. given that the numbered commands would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
mark
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Am 01.06.2018 um 17:24 schrieb Steve Frazier:
I assumed this was a Centos 7 mailing list and I was looking for help with IPTABLEs.I have used mailing lists before. Copying a file to an email address didn't have that type of output. I apologize. First of all is this a Centos 7 Mailing list that I can ask for help or have I made a huge mistake? IF so, should I just attach the file to the email.
Steve,
you are right on this list with questions concerning CentOS 7. It is just the (repeated) formatting of your postings which makes it hard to reply with helpful on-topic answers. Just see yourself what you have sent so far:
https://lists.centos.org/pipermail/centos/2018-June/169029.html https://lists.centos.org/pipermail/centos/2018-June/169027.html https://lists.centos.org/pipermail/centos/2018-June/169029.html
Would you be willing yourself to decrypt such messages just to help someone else?
And please, as this is a mailing list and as you can see from the archive, it is not necessary to quote everything of a previous list post. It is a mailing list and doing fine to be threaded, providing a historty. Quoting everything is just bloating the content. And reverse order of content is contrary usual reading top to bottom.
Try to display your iptables rules for best readability on i.e. http://pastebin.centos.org/ with a live time setting of at least 1 week to be sure your content can be deciphered.
Regards Alexander
Am 01.06.2018 um 18:41 schrieb Alexander Dalloz:
[ ... ]
Steve,
you are right on this list with questions concerning CentOS 7. It is just the (repeated) formatting of your postings which makes it hard to reply with helpful on-topic answers. Just see yourself what you have sent so far:
https://lists.centos.org/pipermail/centos/2018-June/169029.html
Sorry, the first link should have been your initial posting
https://lists.centos.org/pipermail/centos/2018-June/169023.html
https://lists.centos.org/pipermail/centos/2018-June/169027.html https://lists.centos.org/pipermail/centos/2018-June/169029.html
[ ... ]
Regards Alexander
I left out the RTP for voip. Here is my updated iptables-save
*mangle:PREROUTING ACCEPT [343:37719]:INPUT ACCEPT [238:19550]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [157:14766]:POSTROUTING ACCEPT [157:14766]COMMIT# Completed on Fri Jun 1 11:12:17 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 11:12:17 2018*nat:PREROUTING ACCEPT [114:20124]:INPUT ACCEPT [7:670]:OUTPUT ACCEPT [13:1422]:POSTROUTING ACCEPT [0:0]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun 1 11:12:17 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 11:12:17 2018*filter:INPUT DROP [2:1285]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [157:14766]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s mypublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myvoipprovider1-i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myvoipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -p udp -m state --state NEW -m udp --dport 10000:20000 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun 1 11:12:17 2018~ Thanks again.
On Friday, June 1, 2018, 11:05:10 AM EDT, Steve Frazier sfrazier1111@yahoo.com wrote:
Thank you. I apologize for sending something that could be read. There are more examples in there that I had commented out. Anyway, here is my working iptables-save. If someone could review my output and let me know if I am missing anything and if the order of the rules are the most secure they could be. TIA.
Steve
# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun 1 10:34:39 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun 1 10:34:39 2018~~
Steve
On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth@5-cent.us m.roth@5-cent.us wrote:
Steve Frazier wrote:
Hello, I hope that I can ask some questions on this mailing list about IPTables. I am more familiar with IPTABLES instead of FIREWALLD. I disabled FIREWALLD and installed iptables-services. I have put together a script that I found on the web on how to set up a good set of IPTABLES rules to keep my server as secure as possible.
<snip> That's *extremely* hard to read, esp. given that the numbered commands would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
mark
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
--On Friday, June 01, 2018 1:01 PM +0000 Steve Frazier sfrazier1111@yahoo.com wrote:
I have attached the full script with the comments for what I am trying to do.
I suggest uploading your script to pastebin.com and putting the link in your post to the list. That way long lines in your script will be preserved. Pastebin is good for content where the formatting is important.
On Fri, Jun 01, 2018 at 06:50:28AM -0700, Kenneth Porter wrote:
I suggest uploading your script to pastebin.com and putting the link in your post to the list. That way long lines in your script will be preserved. Pastebin is good for content where the formatting is important.
Perhaps using a pastebin service that is not chock full of unwanted ads would be better. http://pastebin.centos.org as an example will not force ads on users. But yes, if one is unable to wrangle their MUA into not reformatting their text a pastebin service would be an excellent alternative. Good suggestion.
John
-
Alexander Dalloz -
John R. Dennison -
Kenneth Porter -
m.roth@5-cent.us -
Nicolas Kovacs -
Steve Frazier