[CentOS] A little iptables help

Thu Sep 29 03:31:25 UTC 2005
James Pifer <jep at obrien-pifer.com>

> Well, James, you are missing quite a lot here.  First of all, default 
> policy is
> set to ACCEPT, so everything goes through as if there were no firewall 
> rules at
> all.  Secondly, the examples people sent you implied you already had 
> some other
> firewall rules needed for them to work (most of them don't work on their own).
> 
> I'll attach sample /etc/sysconfig/iptables file with some comments you can use
> to play with.  It something I just typed for you, so might contain a type or
> two.  It's good starting point for building your own firewall rules.
> 
> The configuration style is total overkill for your simple problem, however if
> your configuration becomes complex with hundreds or thousands of rules, it'll
> pay off to do it this way from the beggining.
> 
> You might want to deinstall system-config-securitylevel and
> system-config-securitylevel-tui since they will blindly rewrite this 
> file.  You
> might also want to remove any other GUI tool for managing firewall 
> rules, since
> it will either overwrite this file, or it will use its own scripts to replace
> the rules with whatever that GUI tool thinks configuration should look 
> like. Also, if you use "/etc/init.d/iptables save" (as some folks 
> suggested), it will
> also overwrite this file with whatever are currently loaded rules 
> (you'll loose
> all those nice comments I put in for you, and nice looking ordering of them
> too).  To load the file, you might do "/etc/init.d/iptables start".  Once the
> rules are up and running, and you change something in the file, don't use
> iptables script to reload new version.  Use "iptables-restore
> /etc/sysconfig/iptables".  Or your current sessions might hung ;-)
> 
> OK, there's the file in attachment.
> 

Aleksandar,

Wow, this is excellent. I read through it all and commented out the 8000
stuff for the moment. I totally agree with doing it right from the
start. 

That being said it loaded fine. I can still ssh and hit http. The only
problem is that the VNC forward stuff still doesn't work. Here's what it
looks like applied.

#iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state
RELATED
SSH_INP    tcp  --  anywhere             anywhere            tcp
spts:1024:65535 dpt:ssh flags:SYN,RST,ACK/SYN state NEW
HTTP_INP   tcp  --  anywhere             anywhere            tcp
spts:1024:65535 dpt:http flags:SYN,RST,ACK/SYN state NEW
LOG_INP    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state
RELATED
VNC_FWD    tcp  --  anywhere             anywhere            tcp
spts:1024:65535 dpt:5900 flags:SYN,RST,ACK/SYN state NEW
LOG_FWD    all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state
RELATED
LOG_OUT    all  --  anywhere             anywhere

Chain HTTP_INP (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain LOG_FWD (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level
warning prefix `FORWARD '
RETURN     all  --  anywhere             anywhere

Chain LOG_INP (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level
warning prefix `INPUT '
RETURN     all  --  anywhere             anywhere

Chain LOG_OUT (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level
warning prefix `OUTPUT '
RETURN     all  --  anywhere             anywhere

Chain SSH_INP (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain VNC_FWD (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.192.24       10.10.60.4
RETURN     all  --  anywhere             anywhere

If I do an nmap scan all it returns is port 22 and port 80. Since it's
port forwarded, should port 5900 show up as well? I'm doing the scan
from 192.168.192.24. 

I don't really understand the logging part. Is there a way I can turn on
some logging to see the VNC requests coming in and see what it's doing
with them?

Thanks for everything!
James