adapting the configuration written by system-config-securitylevel
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
adapting the configuration written by system-config-securitylevel
Hi!
I use FC on servers. the iptabels was made by the system-config-securitylevel. The file has things like
Quote:
-A RH-Firewall-1-INPUT...
at the biginning of each line.
I would like to write another iptables-file in form of a script file startinf with "#!/bin/sh" so that I can write command like "if" or "for" in it.
I was wondering: is actually better to make any change through the system-config-securitylevel or should one just write his own iptables without fearing to have a less good iptables than the one made by the system? In other words: can the system make all kind of konfigurations (I would like for example to have a file from which banned IPs will be read. For this I need a bash script in order to write an "if" or "for" command), or does it make sense not to use the system to write the iptables and to do it manually?
So my question is how should I do it, but does it make sense to do it manually?
The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.
The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.
Thanks for your answer!
If I have this configuration (from the system):
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I could based my new iptables on this file, only removing the "RH-Firewall-1-" parts and adding what I need to add.
So the base of my new iptables could looke like this:
$iptables -P INPUT ACCEPT
$iptables -A INPUT all -- anywhere anywhere
$iptables -A ACCEPT all -- anywhere anywhere
$iptables -A ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
$iptables -A REJECT all -- anywhere anywhere reject-with icmp-host-prohibite
$iptables -P FORWARD ACCEPT
$iptables -A INPUT all -- anywhere anywhere
$iptables -P OUTPUT ACCEPT
this should give me the same thing as the original system's configuration, am I right?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.