[CentOS] A little iptables help
Craig White
craigwhite at azapple.com
Wed Sep 28 20:33:06 UTC 2005
On Wed, 2005-09-28 at 15:14 -0500, Aleksandar Milivojevic wrote:
> Quoting James Pifer <jep at obrien-pifer.com>:
>
> > Alright, I figured I would try a simple proof of concept with this.
> > Without setting any policies to drop, meaning all the chains are wide
> > open (all ACCEPT) I wanted to try and do VNC through the port forward.
> >
> > So I started with this:
> > #iptables -L
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Ran this:
> > iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4
> > -j ACCEPT
>
> Well, James, you are missing quite a lot here. First of all, default
> policy is
> set to ACCEPT, so everything goes through as if there were no firewall
> rules at
> all. Secondly, the examples people sent you implied you already had
> some other
> firewall rules needed for them to work (most of them don't work on their own).
>
> I'll attach sample /etc/sysconfig/iptables file with some comments you can use
> to play with. It something I just typed for you, so might contain a type or
> two. It's good starting point for building your own firewall rules.
>
> The configuration style is total overkill for your simple problem, however if
> your configuration becomes complex with hundreds or thousands of rules, it'll
> pay off to do it this way from the beggining.
>
> You might want to deinstall system-config-securitylevel and
> system-config-securitylevel-tui since they will blindly rewrite this
> file. You
> might also want to remove any other GUI tool for managing firewall
> rules, since
> it will either overwrite this file, or it will use its own scripts to replace
> the rules with whatever that GUI tool thinks configuration should look
> like. Also, if you use "/etc/init.d/iptables save" (as some folks
> suggested), it will
> also overwrite this file with whatever are currently loaded rules
> (you'll loose
> all those nice comments I put in for you, and nice looking ordering of them
> too). To load the file, you might do "/etc/init.d/iptables start". Once the
> rules are up and running, and you change something in the file, don't use
> iptables script to reload new version. Use "iptables-restore
> /etc/sysconfig/iptables". Or your current sessions might hung ;-)
>
> OK, there's the file in attachment.
----
nice job
Aleksandar's custom iptables/firewall rulesets is now open for
business... $ 2.00 US per custom rule set ($3.00 for really complicated
ones). You could make a small fortune.
;-)
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list