[CentOS] /etc/sysconfig/iptables on a stock CentOS 5 install
mouss
mouss at netoyen.net
Tue Feb 26 21:36:44 UTC 2008
Tom Laramee wrote:
>
> Greetings:
>
> i have a pretty stock CentOS 5 machine with ports 80 and 22 exposed, so
> my /etc/sysconfig/iptables file is pretty standard/straightforward.
>
> my question is: how is this config file initially generated? i'd
> like to
> re-create it, and add a couple of rules .... so i don't want to lose
> what's
> in there already.
>
> i see that my /etc/sysconfig/system-config-securitylevel has three
> entries,
> which explains how the port 80 and 22 rules get into the config:
>
> --enabled
> --port=22:tcp
> --port=80:tcp
>
> ... and i see the basic /etc/sysconfig/iptables-config file, but i'm
> unclear
> as to how the rest of the stuff gets in there: e.g.:
>
>
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
> 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
> 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
if you only want to add few simple rules, and if you know about iptables
syntax, you can do something like
# iptables-save > iptables.tmp
edit the resulting files to adjust to your needs, then load it:
# iptables-restore < iptables.tmp
once you're happy, _backup_ /etc/sysconfig/iptables and do
# iptables-save > /etc/sysconfig/iptables
Alternatively, use one of the available scripts or tools to create your
configuration.
In any case, be aware that a misconfiguration could result in blocking
your own access. so better test on a machine not far from you.
More information about the CentOS
mailing list