[CentOS] A little iptables help

Craig White craigwhite at azapple.com
Wed Sep 28 20:33:06 UTC 2005

On Wed, 2005-09-28 at 15:14 -0500, Aleksandar Milivojevic wrote:
> Quoting James Pifer <jep at obrien-pifer.com>:
> > Alright, I figured I would try a simple proof of concept with this.
> > Without setting any policies to drop, meaning all the chains are wide
> > open (all ACCEPT) I wanted to try and do VNC through the port forward.
> >
> > So I started with this:
> > #iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Ran this:
> > iptables -A FORWARD -p tcp --dport 5900 -s -d
> > -j ACCEPT
> Well, James, you are missing quite a lot here.  First of all, default 
> policy is
> set to ACCEPT, so everything goes through as if there were no firewall 
> rules at
> all.  Secondly, the examples people sent you implied you already had 
> some other
> firewall rules needed for them to work (most of them don't work on their own).
> I'll attach sample /etc/sysconfig/iptables file with some comments you can use
> to play with.  It something I just typed for you, so might contain a type or
> two.  It's good starting point for building your own firewall rules.
> The configuration style is total overkill for your simple problem, however if
> your configuration becomes complex with hundreds or thousands of rules, it'll
> pay off to do it this way from the beggining.
> You might want to deinstall system-config-securitylevel and
> system-config-securitylevel-tui since they will blindly rewrite this 
> file.  You
> might also want to remove any other GUI tool for managing firewall 
> rules, since
> it will either overwrite this file, or it will use its own scripts to replace
> the rules with whatever that GUI tool thinks configuration should look 
> like. Also, if you use "/etc/init.d/iptables save" (as some folks 
> suggested), it will
> also overwrite this file with whatever are currently loaded rules 
> (you'll loose
> all those nice comments I put in for you, and nice looking ordering of them
> too).  To load the file, you might do "/etc/init.d/iptables start".  Once the
> rules are up and running, and you change something in the file, don't use
> iptables script to reload new version.  Use "iptables-restore
> /etc/sysconfig/iptables".  Or your current sessions might hung ;-)
> OK, there's the file in attachment.
nice job

Aleksandar's custom iptables/firewall rulesets is now open for
business... $ 2.00 US per custom rule set ($3.00 for really complicated
ones). You could make a small fortune.



This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the CentOS mailing list