[CentOS] [Fwd: Re: iptables]

Fri Apr 23 22:08:45 UTC 2010
Robert Spangler <mlists at zoominternet.net>

On Friday 23 April 2010 15:20, cahit Eyigünlü wrote:

>  how or why i have redesigned it to this and it seems like worked  :

See big problems in your future.

>  :INPUT ACCEPT [0:0]

Anyone with a little bit of security awareness would never set the default 
policy to ACCEPT and the reason is below.  You would think RH would know 

>  -A INPUT -j RH-Firewall-1-INPUT
>  -A FORWARD -j RH-Firewall-1-INPUT
>  -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>  -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

With this rule above you just opened up you complete system to what ever it is 
connected to.  That is why it is working.  I am hoping this box doesn't have 
Internet access.

>  -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>  -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>  -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>  -A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
>  -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>  -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>  -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
>  "/etc/sysconfig/iptables" 40L, 1617C

Even if you didn't have the line with '-i eth0 -j ACCEPT' you system was still 
open to everyone because at this point if none of the rules apply and the 
firewall falls back to the policy setting to decide what to do with a packet.  
Since all your policies are set to ACCEPT the packet is accepted and the 
hacker is in.

For this reason one would think RH would do a little more and set the default 
policies to DROP.  It is so easy to miss the reject or drop statements at the 
end and the policy would catch them for you.

I know some will argue that RH did what they needed to do, but they could go 
that extra step don't you think.



Linux User #296285