iptables - How do you set "default allow"?
 

Hello,

New to the forums, first time poster (go easy on me!)

I've started a new job and have inherited a couple of RHEL4 64-bit servers. The firewall on them is currently disabled. I'm struggling to get them up and running as iptables is not the most user-friendly application. This lead me to downloading and trying a GUI front-end: Guarddog. Great app! But it doesn't have the default behavior I'm looking for. Here is what I need:

Default behavior: Firewall should be wide open, allowing ALL ports/IP's/TCP/UDP in and out of the server.

Blacklist: Oracle TCP port 1521 needs to be blocked in/out of the server.


This will help get us passed our company's security vulnerability scan. (We aren't able to patch/upgrade Oracle at this time because we'd lose vedor support with a legacy app). I will use these settings as a starting point, and then once I learn more and get more comfortable with iptables (or a GUI app) then I can fine tune things to make them more secure.

As far as I know (correct me if I'm wrong) once I get a script I just copy it into /etc/rc.firewall and it will load when iptables starts.

I'd appreciate any help, or referals to other articles.

Cheers,

-Evan

I hope this may be help you

Thanks, but can you explain the components of this script to me? I don't see port 1521 listed in there at all. Plus, why do I need all that "other stuff"?

And once I have a script, does it go in /etc/sysconfig/iptables, or does it go in /etc/rc.firewall

Cheers,

-Evan

Yes can add these rules in /etc/sysconfig/iptables, start the service /etc/init.d/iptables start
if you need brief information plz refer the manpage for iptables

Here drop all traffic for INPUT and FORWARD
This allow http traffic in INPUT chain, The system will allow all http traffic, as like this you can allow ports that you need
In my rule i only allow some certain ports that need and well known so this may be more secure way to prevent attacks

What kirukan posted isn't a script, it's an iptables configuration file. It's also completely unrelated to what you're asking about so I'm not exactly sure what the point of posting it was. What you want to achieve can be handled with these commands:This filters inbound packets with destination port 1521/TCP.


This filters outbound packets with destination port 1521/TCP.


You could also filter by source port if you want, for example:This filters outbound packets with source port 1521/TCP.


All of these examples assume the server's network interface is called eth0, of course. Once you know which command(s) you want, just add them to any startup script (such as rc.local, for example) — you can move to a proper iptables configuration later, when you're ready to implement some serious firewall rules.

I believe if i drop all input ports traffic then it will drop 1521 port traffic too, until accept the specific (1521) port on the following ipchain rule
if i am wrong please correct me

The point is that he's asked for a default allow firewall ruleset with a one-port exception, yet you've provided him with a default deny ruleset with multi-port exceptions.

@win32sux

Thanks. Looks much simpler that way. Couple questions though:

1. Does anything special need to be done to allow all other traffic? Or is this the normal default behavior?
2. Should I run those commands from the console, or put them in a script?
3. Where in the script location? My server doesn't have a /etc/sysconfig/iptables (but it does have a /etc/syconfig/iptables-config) so I'm a little confused.
4. How do I clean up / remove all the "bad" scripts that the Guarddog app added? Is there a particular file or directory I should delete/rename?
5. Once this is set will I see the BLOCK / REJECT packets listed in /var/log/messages ?

Cheers,

-Evan

That is the normal default behavior. You mentioned that you were playing with an iptables front-end, though — so perhaps you changed said behavior. In any case, just post the output of this command and we'll be able to tell you whether or not your firewall is disabled:I'd run them manually first, then verify they are working properly, and then add them to a startup script so that they are automatically executed every time the system starts.

Forget those files for now. Those are configuration files and they will be useful to you later when you're doing iptables for real. For now, just stick the commands in rc.local (or equivalent).

I don't use that program, but I'd assume it doesn't do scripts. In other words, I suspect it just populates the iptables configuration file. Post the contents of the /etc/syconfig/iptables-config file along with the output of the command above and we'll be able to determine whether your active configuration is being pulled from there. In that case, resetting it to a clean and pristine state would be a snap, no worries.

No, you didn't list that as a requirement in your original post. In any case, making that happen is just a matter of executing a second identical command, except with the LOG target instead of DROP. You may also want to specify a log prefix to make the log entries easier to spot. For example:BTW, this vulnerability scan will be done completely remotely, right?

Output from the

iptables -nvL

is attached...

iptables-config is attached...

What about the /etc/sysconfig/iptables file? BTW, did you already uninstall Guarddog?

My servers don't have /etc/sysconfig/iptables files.

And no, I haven't uninstalled Guarddog yet.

-Evan

I'd uninstall it before proceeding. My understanding after reading this is that you should indeed have a /etc/sysconfig/iptables file. Perhaps Guarddog changes the RHEL4 default way of doing things?

Basically, the iptables -nvL output you posted earlier confirms you've got tons of firewall rules active.

OK. I just need to figure out how to uninstall it now...