Re: [CentOS] iptables default configuration
Carlos Santana wrote on Mon, 18 Jan 2010 17:54:51 -0600: - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules You can add rules on-the-fly at runtime and then use service iptables save to save them. This will be automatically loaded on a service iptables start. But it's harder to maintain as a script of your own. I prefer to write a script, run it (which includes flushing etc.) and when it's ok I save that result. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables default configuration
On Tue, Jan 19, 2010 at 1:01 AM, Ian Blackwell i...@ikel.id.au wrote: Rob Kampen wrote: Carlos Santana wrote: - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a predefined chain, although not mentioned in wiki. - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules). Any explanation or resource link on this would be really helpful. Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward. I also find it useful to create different chains for different network traffic. For example, I have a chain that allows all web access - ports 80, 443, 8080 etc. I have a different chain for file-share access - e.g. NFS and Samba. This way, I can watch what is happening with those chains specifically, without wading through the significant output of the command iptables -nvL. By using different chains, I can issue a command like watch -d iptables -nvL CentOS-MAIL to monitor network traffic on related ports. This has helped me many times in the past to see where network traffic is being blocked or given access. Just my 2c worth :) Ian ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Thanks for the help everyone.. @ Ian: Could you please share an example on how to define chains and reuse them? That would be really helpful. - CS. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables default configuration
On Tue, Jan 19, 2010 at 7:31 AM, Kai Schaetzl mailli...@conactive.com wrote: Carlos Santana wrote on Mon, 18 Jan 2010 17:54:51 -0600: - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules You can add rules on-the-fly at runtime and then use service iptables save to save them. This will be automatically loaded on a service iptables start. But it's harder to maintain as a script of your own. I prefer to write a script, run it (which includes flushing etc.) and when it's ok I save that result. Kai Currently my approach is similar to yours, which is shown in the wiki page also. I didn't get what you mean by - 'But it's harder to maintain as a script of your own.'. You are also using script, right? I use git for maintaining versions (not a public repo). - CS. -- Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables default configuration
Carlos Santana wrote on Tue, 19 Jan 2010 08:51:19 -0600: 'But it's harder to maintain as a script of your own.'. You are also using script, right? The as is ambiguous in this case ;-) Read: But it's (adding on the fly, no script) harder to maintain as if you use a script of your own. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables default configuration
On Tue, Jan 19, 2010 at 1:31 PM, Kai Schaetzl mailli...@conactive.com wrote: Carlos Santana wrote on Tue, 19 Jan 2010 08:51:19 -0600: 'But it's harder to maintain as a script of your own.'. You are also using script, right? The as is ambiguous in this case ;-) Read: But it's (adding on the fly, no script) harder to maintain as if you use a script of your own. Kai Thanks for clarifying... :) - CS. -- Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables default configuration
On Tue, 2010-01-19 at 14:32 -0600, Carlos Santana wrote: On Tue, Jan 19, 2010 at 1:31 PM, Kai Schaetzl mailli...@conactive.com wrote: Carlos Santana wrote on Tue, 19 Jan 2010 08:51:19 -0600: 'But it's harder to maintain as a script of your own.'. You are also using script, right? The as is ambiguous in this case ;-) Read: But it's (adding on the fly, no script) harder to maintain as if you use a script of your own. Kai Thanks for clarifying... :) - CS. If you're concerned about maintaining a script for your iptables configuration, consider the Shoreline firewall ( www.shorewall.net ) to manage your firewall. The things I like about Shorewall is that it uses human-readable config files, AND it generates iptables chains that are much more comprehensible than the other stuff that I've seen. Naturally, this is just my $0.02 (US) worth. -- Ron Loftin relof...@twcny.rr.com God, root, what is difference ? Piter from UserFriendly ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] iptables default configuration
Hi, I would like to get some inputs on how to configure iptables. I have referred to CentOS wiki http://wiki.centos.org/HowTos/Network/IPTables and it has been very helpful. I have configured iptables with the help of this tutorial, but I haven't understood few things about default firewall config. - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a predefined chain, although not mentioned in wiki. - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules). Any explanation or resource link on this would be really helpful. Thanks, CS. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables default configuration
Carlos Santana wrote: Hi, I would like to get some inputs on how to configure iptables. I have referred to CentOS wiki http://wiki.centos.org/HowTos/Network/IPTables and it has been very helpful. I have configured iptables with the help of this tutorial, but I haven't understood few things about default firewall config. - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a predefined chain, although not mentioned in wiki. - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules). Any explanation or resource link on this would be really helpful. Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward. Thanks, CS. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables default configuration
Rob Kampen wrote: Carlos Santana wrote: - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a predefined chain, although not mentioned in wiki. - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules). Any explanation or resource link on this would be really helpful. Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward. I also find it useful to create different chains for different network traffic. For example, I have a chain that allows all web access - ports 80, 443, 8080 etc. I have a different chain for file-share access - e.g. NFS and Samba. This way, I can watch what is happening with those chains specifically, without wading through the significant output of the command iptables -nvL. By using different chains, I can issue a command like watch -d iptables -nvL CentOS-MAIL to monitor network traffic on related ports. This has helped me many times in the past to see where network traffic is being blocked or given access. Just my 2c worth :) Ian ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos