system-config-securitylevel: Generates a Set of RulesThis section describes the set of rules generated by system-config-securitylevel (page 768) when you ask it to create a firewall with only ssh running as a trusted service and no other ports specified. The system-config-securitylevel utility writes the rules in the format used by iptables-save (see the preceding section) to the /etc/sysconfig/iptables file, which is read by the iptables init script so that the firewall is implemented each time the system boots. See the tip on page 769 about disabling the firewall using this utility. In the following listing, *filter indicates that the commands appearing after it work on the Filter table. The first line that begins with a colon specifies that the policy for the INPUT chain in the Filter table is ACCEPT. FORWARD and OUTPUT chains are specified similarly. Because the counters for all the chains are zero, the counters will be reset to zero each time the system boots and initializes iptables from this file. The system-config-securitylevel utility creates a user-defined chain named RH-Firewall-1-INPUT. No policy is specified because user-defined chains cannot have policies. # cat /etc/sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT The first two lines that begin with A add rules to the INPUT and FORWARD chains that cause control to transfer to the RH-Firewall-1-INPUT chain. The subsequent lines append rules to the RH-Firewall-1-INPUT chain. Following is a description of what the rest of the lines do. This line accepts packets from the local interface: -A RH-Firewall-1-INPUT -i lo -j ACCEPT This line accepts all ICMP packets: -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT These lines accept packets that match protocols 50 and 51, which /etc/protocols lists as IPv6-Crypt and IPv6-Auth, both encryption headers for IPv6: -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT The next line accepts multicast DNS (www.multicastdns.org) packets: -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT These lines allow IPP (page 504) UDP and TCP packets through: -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT This line uses m to specify the state module and accepts ESTABLISHED and RELATED packets: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT This line allows TCP packets through on port 22 (ssh): -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT This line rejects all packets that have not been accepted and returns ICMP error icmp-host-prohibited to the system that sent the packet: -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT executes the preceding commands. With the preceding rules loaded, you can use iptables to list the rules and see the defaults that iptables puts in place: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |