Don't want to rely on RH-Firewall-1-INPUT in IPTables, how do I Modify?

JockVSJock · 07-08-2015, 07:30 AM

I've noticed that alot of folks here don't want to rely on the IPTable Rules for RH-Firewall-1-INPUT. On a fresh RHEL Server that I've deployed, I've selected a number of rules during the install phase and noticed that they all ended up under

Code:

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1158
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1521
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
14   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
(END)

I've also noticed that there is a rule under the Chain INPUT along with Chain FORWARD

Code:

Chain INPUT (policy ACCEPT)

5    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Code:

Chain FORWARD (policy ACCEPT)

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

My thinking is this, I don't want to rely on the RH-Firewall-1-INPUT rule either, so in order to fix this, I would have to do the following:

Add all of the rules that were under RH-Firewall-1-INPUT into the Chain INPUT

Code:


Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1158
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1521
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
14   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

-Remove the following Chain FORWARD

Code:

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Is this thinking correct?

MensaWater · 07-08-2015, 09:32 AM

I believe you'd need the forward to go to your new INPUT now.

Why not just edit your iptables file to replace all RH-Firewall-1-INPUT references with just INPUT?

The iptables file is in /etc/sysconfig.

Make sure you run "service iptables restart" to make the new rules apply.

By the way RHEL6 uses INPUT rather than RH-Firewall-1-INPUT. Are you doing a fresh install on a RHEL5 or earlier? You really should NOT be using REHL5 as it will be going end of support within a year or so. RHEL7 has been out for more than a year and RHEL8 is probably coming in the not too distant future. Ideally you'd move to RHEL7 if possible but at least to RHEL6. (RHEL6 is still based on 2.6.x kernel, RHEL7 is using 3.x kernel).

JockVSJock · 07-08-2015, 10:52 AM

Quote:

Originally Posted by MensaWater

Why not just edit your iptables file to replace all RH-Firewall-1-INPUT references with just INPUT?

Right that is my goal here, I want to eliminate the RH-Firewall-1-INPUT and just use INPUT. I'm not sure how.

Quote:

Originally Posted by MensaWater

By the way RHEL6 uses INPUT rather than RH-Firewall-1-INPUT.

I was aware of this by the various posting on this forum.

Quote:

Originally Posted by MensaWater

Are you doing a fresh install on a RHEL5 or earlier? You really should NOT be using REHL5 as it will be going end of support within a year or so. RHEL7 has been out for more than a year and RHEL8 is probably coming in the not too distant future. Ideally you'd move to RHEL7 if possible but at least to RHEL6. (RHEL6 is still based on 2.6.x kernel, RHEL7 is using 3.x kernel).

I understand this, however my boss wants to stick with the solid and tested OS and wants to hold on till the bitter end. Kind of like Windows XP Users...