LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-16-2013, 11:30 AM   #1
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Rep: Reputation: 17
apf firewall


I have Virtualmin installed in a dedicated server in other country. Operating system CentOS Linux 5.9 Webmin version 1.620 Virtualmin version 3.99.gpl GPL I installed apf-bfd firewall to automatically and manually add unwanted IPs Behavior is odd. Domains with external nameservers are accessed from everywhere but those having local NS cannot be accessed from several IPs I've tested. From my country I was able to navigate one of almost not accessible domain websites and SOME of its subdomains.

Some settings BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778" BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
Common inbound (ingress) TCP ports

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,10000,20000,30000_32000,465,587,995,10031"
Common outbound (egress) TCP ports

EG_TCP_CPORTS="21,25,80,443,43,587,465,995"
Common outbound (egress) UDP ports

EG_UDP_CPORTS="20,21,53"

I need a clue on what to check/test to get it work. Thank you, M

PS: I did some silly things like to add some ips to allow.hosts like 127.0.0.1 and host and dns IPs. After that some extra domains were accessible
 
Old 04-17-2013, 11:06 PM   #2
Rocketrrt
LQ Newbie
 
Registered: Mar 2013
Posts: 3

Rep: Reputation: Disabled
Maybe

Check and make sure the host you want connect to are listed in the hosts file in /etc/hosts
 
Old 04-19-2013, 05:48 PM   #3
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Hello Rocketrrt,

my /etc/hosts just contains

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 mydomain.com host localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

Thanks

Last edited by marciano; 04-20-2013 at 08:50 AM.
 
Old 04-20-2013, 04:12 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Web-based management panels should be used by people who already have practical admin level knowledge of the OS, it's inner workings and the services it provides. So my first advice, and this understandably is more generic than you would have hoped for, would be to stop relying on User Interfaces and learn to admin a server "the right way". (And yes, that means reading the documentation and using the command line.)


Quote:
Originally Posted by marciano View Post
I need a clue on what to check/test to get it work.
The easiest way to understand and "debug" Netfilter rule sets is to save your firewall rule set ('iptables-save'), review those rules, find the right spot to add rules and add then add the appropriate "-j LOG" logging rules. If unsure log in (over SSH but never as root user) and run
Code:
(sudo) iptables-save > /tmp/iptables.txt
and attach the file as plain text.
 
Old 04-20-2013, 08:49 AM   #5
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Hello unSpawn, thanks for your advice.

My iptables-save
# Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013
*nat
:PREROUTING ACCEPT [708614:41550173]
:POSTROUTING ACCEPT [1591343:81159062]
:OUTPUT ACCEPT [1591343:81159062]
COMMIT
# Completed on Sat Apr 20 10:18:53 2013
# Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013
*mangle
:PREROUTING ACCEPT [29693194:4328132232]
:INPUT ACCEPT [29693194:4328132232]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25642587:18856862712]
:POSTROUTING ACCEPT [25642587:18856862712]
COMMIT
# Completed on Sat Apr 20 10:18:53 2013
# Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013
*filter
:INPUT ACCEPT [14412:2109643]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12628:9019428]
COMMIT
# Completed on Sat Apr 20 10:18:53 2013

Maybe I don't really need to use apf and bfd just to ban ALL those IP disturbing the server like 96.47.225.* and 110.89.58.* and those selected by bdf

What I performed was
iptables -A INPUT -s 96.47.225.0/24 -j DROP
iptables -A OUTPUT -d 96.47.225.0/24 -j DROP
service iptables save

but accesses from that range are still logged

Thank you
 
Old 04-20-2013, 05:03 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Your machine is currently completely unprotected as your active rule set allows all traffic to pass through.
I don't know what you did but this is not even the stock rule set that comes with CentOS.
Please attach your /etc/sysconfig/iptables rule set as plain text file.
 
Old 04-20-2013, 07:20 PM   #7
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Last major upgrade was in 2010, new server. Centos 5 was intalled by default in my dedicated server. Then I installed webmin-virtualmin. Developers say that "Linux Firewall" is fairly enough.
As you could see my network knowledge is poor. I don't understand Webmin firewall menu-rules, this is not my speciality, I had to enter in dedicated servers by necessity and my budget is very small to hire someone.

I've installed apf-bfd and I see bfd adding unwanted 'visitors' to deny.hosts but disabling debug mode I came into problems I described before.
Thank you
Attached Files
File Type: txt iptables.txt (682 Bytes, 10 views)
File Type: txt iptables-save.txt (1.1 KB, 10 views)

Last edited by marciano; 04-20-2013 at 07:25 PM.
 
Old 04-21-2013, 05:38 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Quote:
Originally Posted by marciano View Post
Last major upgrade was in 2010, new server. Centos 5 was intalled by default in my dedicated server.
0. If with "was installed by default" you mean you have not invested time properly hardening the machine then that should be the first issue to address.
1. For future reference this is how a stock CentOS 5 rule set looks like: http://www.linuxquestions.org/questi...5/#post4869324. Note it does allow inbound SSH (so you can access your machine as unprivileged non-root user) and HTTP requests but you will not want to load without knowing what other services you need to provide. If you attach the output of these commands we should be able to craft you a reasonably simple firewall rule set:
Code:
( /sbin/ip link show|awk '/eth[0-9]/{print $2}'; /sbin/runlevel; /sbin/chkconfig --list; /bin/netstat -antulpe; /bin/ps axf -eo pid,ppid,uid,gid,nice,pri,pcpu,args --sort=pid; /usr/bin/last -wai30 ) > /tmp/output
*Do obfuscate the IP address of your server (replace with say "n.n.n.n") and the machine you're connecting from (replace with say "x.x.x.x") before attaching. Example:
Code:
sed -i "s|1.2.3.4|n.n.n.n|g" /tmp/output

Quote:
Originally Posted by marciano View Post
Developers say that "Linux Firewall" is fairly enough.
That it is.


Quote:
Originally Posted by marciano View Post
I've installed apf-bfd and I see bfd adding unwanted 'visitors' to deny.hosts but disabling debug mode I came into problems I described before.
/etc/hosts.{allow,deny} (aka tcp_wrappers, see 'man 5 hosts_access') is an application layer mechanism. Most of the time you'll want to start with network layer mechanisms instead. See Denyhosts vs Fail2ban aka tcp_wrappers vs iptables.


Quote:
Originally Posted by marciano View Post
As you could see my network knowledge is poor. I don't understand Webmin firewall menu-rules, this is not my speciality, I had to enter in dedicated servers by necessity and my budget is very small to hire someone.
While this isn't a Linux Security topic I've entered in that particular discussion often enough, so let me see if I can convince you of the right mindset.
- First of all, with all due respect, it is not a valid excuse. Especially if you're looking to make money off of it. Making money means having customers. For customers to part with their money (apart from offering enticing goods or services) they have be able to depend on and trust your business. As you well know trust is difficult to gain and easy to lose. Flaky services or worse, a compromised server, ain't exactly good for the image of your business.
- Secondly there is the "problem" with GNU/Linux itself as a business offering. The choice for running GNU/Linux should be a based on strenghts: practical knowledge and an understanding of what the platform offers (in terms of performance, protection of assets and how it provides services in a continuous, stable and secure way) and not, like many unfortunately choose, the weakest argument: just because it was the cheapest alternative available. Linux may be free to use but using it is not free of responsibilities.
- This ties in with the third point: you are a netizen. This means you are responsible for keeping your machine(s) and services from (doing) harm. Not only for your own benefit but for the whole community.

I'm hesitant to say "reap what you sow" because that could be explained both in a bad or a good way ;-p It's probably easier to say that you know you have to invest before you can reap any rewards. In short: if you won't buy admin services then you will have to gain the required knowledge yourself. I hope you understand that what I wrote above is not optional. Do know I well realize the implications of what I wrote above and I wish you good luck with it.


*BTW to, among other reasons, address your original question of blocking IP addresses conveniently I just wrote Blocking lists of IP addresses using the iptables recent module or ipset and make fail2ban use it.
HTH

Last edited by unSpawn; 04-21-2013 at 07:36 AM. Reason: //Addendum
 
Old 04-21-2013, 10:33 AM   #9
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Hello unSpawn,

0) This is what Webmin-Virtualmin primarily does, say the developers.

1) When I create a new user I have the option to disallow ssh access (/bin/false) I always pay attention on it.

I agree with all what you say. I trusted Webmin-Virtualmin since 2005 in the understanding I was able to get some kind of control and protection on issues I am a neophyte.

Here's the file you requested. I changed first part of server and client IPs and usernames. If I have forgotten something sensitive to be hidden please let me know to change the attachment (if I am able to do this)

Thank you very much again for your help and advices.
Attached Files
File Type: txt output1.txt (38.5 KB, 10 views)
 
Old 04-21-2013, 03:56 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Quote:
Originally Posted by marciano View Post
0) This is what Webmin-Virtualmin primarily does, say the developers.
No, that's not what the developers say:
- Webmin is a web-based admin-level tool, a system control panel,
- Usermin provides access to user-level tasks and
- Virtualmin is a web hosting control panel.
Securing, hardening, auditing start right at installing the OS and are continuous processes.


Quote:
Originally Posted by marciano View Post
1) When I create a new user I have the option to disallow ssh access (/bin/false) I always pay attention on it.
OK, yet you yourself apparently have no qualms logging in as root directly:
Code:
 5097     1     0     0   0  24  0.0 /usr/sbin/sshd
17384  5097     0     0   0  24  0.0  \_ sshd: root@pts/0 
17421 17384     0     0   0  21  0.0      \_ -bash
17493 17421     0     0   0  24  0.0          \_ -bash
17499 17493     0     0   0  22  0.0              \_ /bin/ps axf -eo pid,ppid,uid,gid,nice,pri,pcpu,args --sort=pid
That's not a security best practice.


Quote:
Originally Posted by marciano View Post
I trusted Webmin-Virtualmin since 2005 in the understanding I was able to get some kind of control and protection (..)
That's OK if you know (and know how to check) how to things work.


That said here's an example rule set according to what nfo you provided. The thread I linked to before should provide a good read containing explanation and resources:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -m state --state INVALID -j DROP 
#
# UNrestricted access: TCP FTP,FTP,SSH,MTA,DNS,HTTP,HTTPS,DNS,IMAPS,POP3S
# Limit NS, MTA and SSH requests:
# -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 22,25,53 -m limit --limit 1/s -j ACCEPT
# Limit HTTP,HTTPS,DNS,IMAPS,POP3S requests:
# -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443,953,993,995 -m limit --limit 30/m -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 20,21,22,25,53,80,443,953,993,995 -j ACCEPT
#
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -s x.52.0.0/16 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -s y.134.0.0/16 -j ACCEPT
#
# UNrestricted access: UDP FTP(?),FTP(?),DNS
# Limit NS requests:
# -A INPUT -p udp -m state --state NEW -m tcp --dport 53 -m limit --limit 30/s -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp -m multiport --dports 20,21,53 -j ACCEPT
#
# Restricted access: UDP NTP
-A INPUT -p udp -m state --state NEW -m tcp -m multiport --dports 123 -s x.52.0.0/16 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp -m multiport --dports 123 -s y.134.0.0/16 -j ACCEPT
#
# ICMP
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
#
# Log and REJECT the rest:
-A INPUT -m state --state NEW -m limit --limit 1/sec -j LOG --log-prefix "IN_denied "
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
# 
# Log and REJECT some outbound problems: telnet,IRC,IRC,IRCS,IRC,IRC,IRC,IRC,proxy,proxy,proxy
# -A OUTPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 23,194,994,6660:6669,6697,7000,7666,8080,8123,8443 -m limit --limit 1/s -j ACCEPT
COMMIT
*Note the -s x.52.0.0/16 and -s y.134.0.0/16 represent the IPv4 ranges you log in from and should be changed to actual ranges.
**Do ensure you can gain access if something goes awry when testing this rule set. Probably easiest way is to save the above rule set as say "/tmp/iptables.txt", set both IPTABLES_SAVE_ON_STOP="no" and IPTABLES_SAVE_ON_RESTART="no" in /etc/sysconfig/iptables-config, ensure the at service is running and then add a one-off before testing things:
Code:
vi /etc/sysconfig/iptables-config
/sbin/service atd start
echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
/sbin/iptables-restore < /tmp/iptables.txt

HTH

Last edited by unSpawn; 04-21-2013 at 03:57 PM.
 
Old 04-22-2013, 02:37 PM   #11
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Hello unSpawn,

Before changing my iptables I am reading your other post and wiki.centos.com/HowTos/Network/IPTables
I need some extra explanation please. What for is this?
Quote:
# Restricted access: UDP NTP
-A INPUT -p udp -m state --state NEW -m tcp -m multiport --dports 123 -s x.52.0.0/16 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp -m multiport --dports 123 -s y.134.0.0/16 -j ACCEPT
*Note the -s x.52.0.0/16 and -s y.134.0.0/16 represent the IPv4 ranges you log in from and should be changed to actual ranges.
Would you please explain "you log in"?
I login from ssh, ftp, https (Webmin, Usermin). Other users also log in those services from ranges that could change.
What if I log in from another country (IP)? Would I be able to add the new IP, for example from https to accept that IP for ssh?
Thanks a lot
 
Old 04-22-2013, 05:04 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Quote:
Originally Posted by marciano View Post
I need some extra explanation please. What for is this?
This would be a better example:
Code:
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -s x.52.0.0/16 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -s y.134.0.0/16 -j ACCEPT
#*Note the -s x.52.0.0/16 and -s y.134.0.0/16 represent the IPv4 ranges you log in from and should be changed to actual ranges.
It means that these services are only accessible from specific networks (white listing). The reason for that is that some services shouldn't be exposed to the 'net unnecessarily. For example MySQL by default it uses a UNIX socket so it can't be accessed tru the 'net anyway. Webmin and Usermin are admin(-ish) tools no ordinary user should have access to (and if exposed they should use SSL anyway). If you don't want to use white listing just add the ports to the "-m tcp -m multiport --dports" rule and comment out these "-s x.52.0.0/16" and "-s y.134.0.0/16" rules.


Quote:
Originally Posted by marciano View Post
Would you please explain "you log in"?
I login from ssh, ftp, https (Webmin, Usermin).
It's not about the service you use but the network you connect from. Depending on the type of service (xDSL, cable, etc, etc) you may have a static IP address or a dynamic one. In the latter case you'd use a /24 or /16 range. That isn't much protection (you should SSL'ize services as well) but it's better than exposing for example Webmin to world unprotected IMHO.


Quote:
Originally Posted by marciano View Post
Other users also log in those services from ranges that could change.
It's not about other common users but about you in your role as server admin.


Quote:
Originally Posted by marciano View Post
What if I log in from another country (IP)? Would I be able to add the new IP, for example from https to accept that IP for ssh?
It would require service that doesn't use white listing. (For services like SSH you could use what they call port knocking but that's too much for now.)
 
Old 04-22-2013, 06:01 PM   #13
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
unSpawn: I got an error executing
/sbin/iptables-restore < /tmp/iptablesNEW.txt
iptables-restore: line 56 failed
This is the last line "COMMIT"
The attached file is iptablesNEW.txt
I changed IP. x and y are not the same in all lines.
Thank you
Attached Files
File Type: txt output2.txt (3.5 KB, 10 views)
 
Old 04-22-2013, 06:28 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,447
Blog Entries: 54

Rep: Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890Reputation: 2890
Try this:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RESTRICT - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -m state --state INVALID -j DROP 
#
# UNrestricted access: TCP FTP,FTP,SSH,MTA,DNS,HTTP,HTTPS,DNS,IMAPS,POP3S
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 20,21,22,25,53,80,443,953,993,995 -j ACCEPT
#
# UNrestricted access: UDP FTP(?),FTP(?),DNS
-A INPUT -p udp -m state --state NEW -m tcp -m multiport --dports 20,21,53 -j ACCEPT
#
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -j RESTRICT
# Restricted access: UDP NTP
-A INPUT -p udp -m state --state NEW -m tcp --dport 123 -J RESTRICT
#
# Chain holding allowed IP ranges
-A RESTRICT -s x.y.0.0/16 -j ACCEPT
-A RESTRICT -s x.y.0.0/16 -j ACCEPT
-A RESTRICT -s x.y.0.0/16 -j ACCEPT
-A RESTRICT -s x.y.0.0/8 -j ACCEPT
-A RESTRICT -s x.y.0.0/8 -j ACCEPT
-A RESTRICT -s x.y.0.0/16 -j ACCEPT
-A RESTRICT -s x.y.224.0/24 -j ACCEPT
-A RESTRICT -s x.y.0.0/16 -j ACCEPT
-A RESTRICT -s x.y.10.124 -j ACCEPT
#
# ICMP
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
#
# Log and REJECT the rest:
-A INPUT -m state --state NEW -m limit --limit 1/sec -j LOG --log-prefix "IN_denied "
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
# 
# Log and REJECT some outbound problems: telnet,IRC,IRC,IRCS,IRC,IRC,IRC,IRC,proxy,proxy,proxy
-A OUTPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 23,194,994,6660:6669,6697,7000,7666,8080,8123,8443 -m limit --limit 1/s -j REJECT
#
COMMIT
 
Old 04-22-2013, 06:47 PM   #15
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
unSpawn, same problem at last line COMMIT (after changing -J to -j at line 19).
Thanks

PS: just to clarify.
I already had IPTABLES_SAVE_ON_STOP="no" and IPTABLES_SAVE_ON_RESTART="no" in /etc/sysconfig/iptables-config
From command line
# /sbin/service atd start
# echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
# /sbin/iptables-restore < /tmp/iptablesNEW.txt

I edited iptablesNEW.txt in gedit plain text and then uploaded to server (and chmod 600)
Attached Files
File Type: txt iptablesNEW2.txt (1.8 KB, 8 views)

Last edited by marciano; 04-22-2013 at 07:19 PM. Reason: Adding info
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apf firewall deepmala8 Linux - Security 1 06-22-2011 07:49 AM
regarding apf firewall deepmala8 Linux - Networking 1 06-21-2011 05:58 AM
APF firewall help deepmala8 Linux - Security 3 06-17-2011 05:46 AM
apf firewall liang3391 Linux - Security 3 05-25-2009 10:22 AM
APF firewall binumvk Linux - Security 2 10-14-2004 05:12 AM


All times are GMT -5. The time now is 06:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration