Greetings:
i have a pretty stock CentOS 5 machine with ports 80 and 22 exposed, so my /etc/sysconfig/iptables file is pretty standard/straightforward.
my question is: how is this config file initially generated? i'd like to re-create it, and add a couple of rules .... so i don't want to lose what's in there already.
i see that my /etc/sysconfig/system-config-securitylevel has three entries, which explains how the port 80 and 22 rules get into the config:
--enabled --port=22:tcp --port=80:tcp
... and i see the basic /etc/sysconfig/iptables-config file, but i'm unclear as to how the rest of the stuff gets in there: e.g.:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 - j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 - j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Tom Laramee wrote:
Greetings:
i have a pretty stock CentOS 5 machine with ports 80 and 22 exposed, so my /etc/sysconfig/iptables file is pretty standard/straightforward.
my question is: how is this config file initially generated? i'd like to re-create it, and add a couple of rules .... so i don't want to lose what's in there already.
i see that my /etc/sysconfig/system-config-securitylevel has three entries, which explains how the port 80 and 22 rules get into the config:
--enabled --port=22:tcp --port=80:tcp... and i see the basic /etc/sysconfig/iptables-config file, but i'm unclear as to how the rest of the stuff gets in there: e.g.:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
if you only want to add few simple rules, and if you know about iptables syntax, you can do something like # iptables-save > iptables.tmp edit the resulting files to adjust to your needs, then load it: # iptables-restore < iptables.tmp once you're happy, _backup_ /etc/sysconfig/iptables and do # iptables-save > /etc/sysconfig/iptables
Alternatively, use one of the available scripts or tools to create your configuration.
In any case, be aware that a misconfiguration could result in blocking your own access. so better test on a machine not far from you.
-
mouss -
Tom Laramee