adapting the configuration written by system-config-securitylevel

xpucto · 11-09-2006, 07:01 AM

Hi!

I use FC on servers. the iptabels was made by the system-config-securitylevel. The file has things like

Quote:

-A RH-Firewall-1-INPUT...

at the biginning of each line.
I would like to write another iptables-file in form of a script file startinf with "#!/bin/sh" so that I can write command like "if" or "for" in it.
I was wondering: is actually better to make any change through the system-config-securitylevel or should one just write his own iptables without fearing to have a less good iptables than the one made by the system? In other words: can the system make all kind of konfigurations (I would like for example to have a file from which banned IPs will be read. For this I need a bash script in order to write an "if" or "for" command), or does it make sense not to use the system to write the iptables and to do it manually?
So my question is how should I do it, but does it make sense to do it manually?

thanks.

macemoneta · 11-10-2006, 07:53 AM

The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.

xpucto · 11-10-2006, 09:33 AM

Quote:

Originally Posted by macemoneta

The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.

Thanks for your answer!
If I have this configuration (from the system):

Quote:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

I could based my new iptables on this file, only removing the "RH-Firewall-1-" parts and adding what I need to add.
So the base of my new iptables could looke like this:

Quote:

#!/bin/sh
set -e

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"

echo "Flushing rules..."
$iptables -F
echo "Rules flushed."

echo "Loading kernel modules..."
$modprobe ip_tables
$modprobe ip_conntrack
$modprobe iptable_filter
$modprobe ipt_state
echo "Kernel modules loaded."

echo "Loading rules..."

$iptables -P INPUT ACCEPT
$iptables -A INPUT all -- anywhere anywhere

$iptables -A ACCEPT all -- anywhere anywhere
$iptables -A ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
$iptables -A REJECT all -- anywhere anywhere reject-with icmp-host-prohibite

$iptables -P FORWARD ACCEPT
$iptables -A INPUT all -- anywhere anywhere

$iptables -P OUTPUT ACCEPT

this should give me the same thing as the original system's configuration, am I right?

macemoneta · 11-10-2006, 10:12 AM

Yup, that should be a usable base.