Hi,
I would like to get some inputs on how to configure iptables. I have referred to CentOS wiki http://wiki.centos.org/HowTos/Network/IPTables and it has been very helpful. I have configured iptables with the help of this tutorial, but I haven't understood few things about default firewall config.
- What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a predefined chain, although not mentioned in wiki. - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules).
Any explanation or resource link on this would be really helpful.
Thanks, CS.
Carlos Santana wrote:
Hi,
I would like to get some inputs on how to configure iptables. I have referred to CentOS wiki http://wiki.centos.org/HowTos/Network/IPTables and it has been very helpful. I have configured iptables with the help of this tutorial, but I haven't understood few things about default firewall config.
- What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a
predefined chain, although not mentioned in wiki.
- The wiki page approach is to flush existing rules and then add
required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules).
Any explanation or resource link on this would be really helpful.
Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward.
Thanks, CS. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Rob Kampen wrote:
Carlos Santana wrote:
- What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a
predefined chain, although not mentioned in wiki.
- The wiki page approach is to flush existing rules and then add
required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules).
Any explanation or resource link on this would be really helpful.
Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward.
I also find it useful to create different chains for different network traffic. For example, I have a chain that allows all web access - ports 80, 443, 8080 etc. I have a different chain for file-share access - e.g. NFS and Samba. This way, I can watch what is happening with those chains specifically, without wading through the significant output of the command "iptables -nvL".
By using different chains, I can issue a command like "watch -d iptables -nvL CentOS-MAIL" to monitor network traffic on related ports. This has helped me many times in the past to see where network traffic is being blocked or given access.
Just my 2c worth :)
Ian
On Tue, Jan 19, 2010 at 1:01 AM, Ian Blackwell ian@ikel.id.au wrote:
Rob Kampen wrote:
Carlos Santana wrote:
- What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a
predefined chain, although not mentioned in wiki.
- The wiki page approach is to flush existing rules and then add
required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules).
Any explanation or resource link on this would be really helpful.
Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward.
I also find it useful to create different chains for different network traffic. For example, I have a chain that allows all web access - ports 80, 443, 8080 etc. I have a different chain for file-share access - e.g. NFS and Samba. This way, I can watch what is happening with those chains specifically, without wading through the significant output of the command "iptables -nvL".
By using different chains, I can issue a command like "watch -d iptables -nvL CentOS-MAIL" to monitor network traffic on related ports. This has helped me many times in the past to see where network traffic is being blocked or given access.
Just my 2c worth :)
Ian _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks for the help everyone..
@ Ian: Could you please share an example on how to define chains and reuse them? That would be really helpful.
- CS.
Carlos Santana wrote on Mon, 18 Jan 2010 17:54:51 -0600:
- The wiki page approach is to flush existing rules and then add
required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules
You can add rules on-the-fly at runtime and then use service iptables save to save them. This will be automatically loaded on a service iptables start. But it's harder to maintain as a script of your own. I prefer to write a script, run it (which includes flushing etc.) and when it's ok I save that result.
Kai
On Tue, Jan 19, 2010 at 7:31 AM, Kai Schaetzl maillists@conactive.com wrote:
Carlos Santana wrote on Mon, 18 Jan 2010 17:54:51 -0600:
- The wiki page approach is to flush existing rules and then add
required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules
You can add rules on-the-fly at runtime and then use service iptables save to save them. This will be automatically loaded on a service iptables start. But it's harder to maintain as a script of your own. I prefer to write a script, run it (which includes flushing etc.) and when it's ok I save that result.
Kai
Currently my approach is similar to yours, which is shown in the wiki page also.
I didn't get what you mean by - 'But it's harder to maintain as a script of your own.'. You are also using script, right? I use git for maintaining versions (not a public repo).
- CS.
-- Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Carlos Santana wrote on Tue, 19 Jan 2010 08:51:19 -0600:
'But it's harder to maintain as a script of your own.'. You are also using script, right?
The "as" is ambiguous in this case ;-) Read: But it's (adding on the fly, no script) harder to maintain as if you use a script of your own.
Kai
On Tue, Jan 19, 2010 at 1:31 PM, Kai Schaetzl maillists@conactive.com wrote:
Carlos Santana wrote on Tue, 19 Jan 2010 08:51:19 -0600:
'But it's harder to maintain as a script of your own.'. You are also using script, right?
The "as" is ambiguous in this case ;-) Read: But it's (adding on the fly, no script) harder to maintain as if you use a script of your own.
Kai
Thanks for clarifying... :)
- CS.
-- Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2010-01-19 at 14:32 -0600, Carlos Santana wrote:
On Tue, Jan 19, 2010 at 1:31 PM, Kai Schaetzl maillists@conactive.com wrote:
Carlos Santana wrote on Tue, 19 Jan 2010 08:51:19 -0600:
'But it's harder to maintain as a script of your own.'. You are also using script, right?
The "as" is ambiguous in this case ;-) Read: But it's (adding on the fly, no script) harder to maintain as if you use a script of your own.
Kai
Thanks for clarifying... :)
CS.
If you're concerned about maintaining a script for your iptables configuration, consider the Shoreline firewall ( www.shorewall.net ) to manage your firewall.
The things I like about Shorewall is that it uses human-readable config files, AND it generates iptables chains that are much more comprehensible than the other stuff that I've seen.
Naturally, this is just my $0.02 (US) worth.
-
Carlos Santana -
Ian Blackwell -
Kai Schaetzl -
Rob Kampen -
Ron Loftin