[CentOS] /etc/sysconfig/iptables on a stock CentOS 5 install

mouss mouss at netoyen.net
Tue Feb 26 21:36:44 UTC 2008 

Tom Laramee wrote:
>
> Greetings:
>
> i have a pretty stock CentOS 5 machine with ports 80 and 22 exposed, so
> my /etc/sysconfig/iptables file is pretty standard/straightforward.
>
> my question is:  how is this config file initially generated?  i'd 
> like to
> re-create it, and add a couple of rules .... so i don't want to lose 
> what's
> in there already.
>
> i see that my /etc/sysconfig/system-config-securitylevel has three 
> entries,
> which explains how the port 80 and 22 rules get into the config:
>
>     --enabled
>     --port=22:tcp
>     --port=80:tcp
>
> ... and i see the basic /etc/sysconfig/iptables-config file, but i'm 
> unclear
> as to how the rest of the stuff gets in there: e.g.:
>
>
>     # Firewall configuration written by system-config-securitylevel
>     # Manual customization of this file is not recommended.
>     *filter
>     :INPUT ACCEPT [0:0]
>     :FORWARD ACCEPT [0:0]
>     :OUTPUT ACCEPT [0:0]
>     :RH-Firewall-1-INPUT - [0:0]
>     -A INPUT -j RH-Firewall-1-INPUT
>     -A FORWARD -j RH-Firewall-1-INPUT
>     -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>     -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>     -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>     -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>     -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
> 22 -j ACCEPT
>     -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
> 80 -j ACCEPT
>     -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>     COMMIT

if you only want to add few simple rules, and if you know about iptables 
syntax, you can do something like
# iptables-save > iptables.tmp
edit the resulting files to adjust to your needs, then load it:
# iptables-restore < iptables.tmp
once you're happy, _backup_ /etc/sysconfig/iptables and do
# iptables-save > /etc/sysconfig/iptables


Alternatively, use one of the available scripts or tools to create your 
configuration.


In any case, be aware that a misconfiguration could result in blocking 
your own access. so better test on a machine not far from you.

More information about the CentOS mailing list