system-config-securitylevel: Generates a Set of Rules


system-config-securitylevel: Generates a Set of Rules

This section describes the set of rules generated by system-config-securitylevel (page 768) when you ask it to create a firewall with only ssh running as a trusted service and no other ports specified. The system-config-securitylevel utility writes the rules in the format used by iptables-save (see the preceding section) to the /etc/sysconfig/iptables file, which is read by the iptables init script so that the firewall is implemented each time the system boots. See the tip on page 769 about disabling the firewall using this utility.

In the following listing, *filter indicates that the commands appearing after it work on the Filter table. The first line that begins with a colon specifies that the policy for the INPUT chain in the Filter table is ACCEPT. FORWARD and OUTPUT chains are specified similarly. Because the counters for all the chains are zero, the counters will be reset to zero each time the system boots and initializes iptables from this file.

The system-config-securitylevel utility creates a user-defined chain named RH-Firewall-1-INPUT. No policy is specified because user-defined chains cannot have policies.

# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT


The first two lines that begin with A add rules to the INPUT and FORWARD chains that cause control to transfer to the RH-Firewall-1-INPUT chain. The subsequent lines append rules to the RH-Firewall-1-INPUT chain. Following is a description of what the rest of the lines do.

This line accepts packets from the local interface:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT


This line accepts all ICMP packets:

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT


These lines accept packets that match protocols 50 and 51, which /etc/protocols lists as IPv6-Crypt and IPv6-Auth, both encryption headers for IPv6:

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT


The next line accepts multicast DNS (www.multicastdns.org) packets:

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT


These lines allow IPP (page 504) UDP and TCP packets through:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT


This line uses m to specify the state module and accepts ESTABLISHED and RELATED packets:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


This line allows TCP packets through on port 22 (ssh):

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


This line rejects all packets that have not been accepted and returns ICMP error icmp-host-prohibited to the system that sent the packet:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited


COMMIT executes the preceding commands. With the preceding rules loaded, you can use iptables to list the rules and see the defaults that iptables puts in place:

# iptables -L Chain INPUT (policy ACCEPT) target     prot opt source               destination RH-Firewall-1-INPUT  all  --  anywhere             anywhere Chain FORWARD (policy ACCEPT) target     prot opt source               destination RH-Firewall-1-INPUT  all  --  anywhere             anywhere Chain OUTPUT (policy ACCEPT) target     prot opt source               destination Chain RH-Firewall-1-INPUT (2 references) target     prot opt source               destination ACCEPT     all  --  anywhere             anywhere ACCEPT     icmp --  anywhere             anywhere            icmp any ACCEPT     ipv6-crypt--  anywhere             anywhere ACCEPT     ipv6-auth--  anywhere             anywhere ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353 ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh REJECT    all  --  anywhere            anywhere           reject-with icmp-host-prohibited





A Practical Guide to Red Hat Linux
A Practical Guide to Red HatВ® LinuxВ®: Fedoraв„ў Core and Red Hat Enterprise Linux (3rd Edition)
ISBN: 0132280272
EAN: 2147483647
Year: 2006
Pages: 383

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net