iptables - How do you set "default allow"?

negativeground · 03-19-2010, 02:01 PM

Ugh. I figured out how to uninstall the app with a rpm -e <rpm name> command. I then deleted the /etc/rc.firewall config file that it created. Now the iptables service won't start (even after a reboot). service iptables start doesn't do anything, and a service iptables status just reads: Firewall is stopped.

Is there a log file I can look at to see what might be broken?

-Evan

kirukan · 03-19-2010, 02:05 PM

is it not running as a service? i think if you stop the guarddog service it will flush all the firewall rules which are imposed by guarddog

win32sux · 03-19-2010, 02:06 PM

Quote:

Originally Posted by negativeground

Ugh. I figured out how to uninstall the app with a rpm -e <rpm name> command. I then deleted the /etc/rc.firewall config file that it created. Now the iptables service won't start (even after a reboot). service iptables start doesn't do anything, and a service iptables status just reads: Firewall is stopped.

Is there a log file I can look at to see what might be broken?

-Evan

What does iptables -nvL show now?

It doesn't sound like anything is broken, it sounds like it was properly set back into default.

win32sux · 03-19-2010, 02:25 PM

I'm on my way out, so I won't get your reply until later today. But I wanted to leave this script here with you. Basically, execute it and it'll populate your /etc/sysconfig/iptables file for you. You should then be able to reboot and see that the port 1521/TCP rule is loaded, with logging enabled. You can then proceed to confirm it works by doing a port scan.

Code:

#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -A INPUT -p TCP -i eth0 --dport 1521 -j LOG --log-prefix "INPUT DROP: "
$IPT -A INPUT -p TCP -i eth0 --dport 1521 -j DROP

$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw

$IPT-save > /etc/sysconfig/iptables

With this method, you don't need to add any commands to your startup scripts.

negativeground · 03-19-2010, 02:53 PM

Chain INPUT (policy ACCEPT 2336 packets, 2050K bytes)
pkts bytes target port opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target port opt in out source destination

Chain OUTPUT (policy ACCEPT 2526 packets, 2536K bytes)
pkts bytes target port opt in out source destination

----
Looks like this is a normal "clean" config, correct?

Thanks so much for the script!! And thanks for adding the logging setting too! I'll run that today. What is the process for adding new "deny" ports? Just go into /etc/sysconfig/iptables and add a new line, using the same syntax as the ones you listed?

Cheers,

-Evan

negativeground · 03-19-2010, 03:03 PM

Script ran fine. I can see the settings in /etc/sysconfig/iptables. But when I do a service iptables start I get:

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter nat mangle raw [FAILED]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

Any ideas? Or is this OK?

-Evan

negativeground · 03-19-2010, 03:41 PM

Is this what is going on with the script? http://bugs.centos.org/view.php?id=1676

win32sux · 03-19-2010, 07:27 PM

Yeah, that looks like the bug that's biting you. In fact, Red Hat themselves have a bug number assigned to this issue. The patch seems simple enough if you wanna go for it. Needless to say, backup the file before you edit it!

As for adding ports, I'd suggest editing the script and then re-executing it. This way your /etc/sysconfig/iptables file gets populated by the iptables-save binary itself, reducing the risk of human error.

negativeground · 03-22-2010, 03:17 PM

Hey Thanks again. I'm trying to install that patch, but it doesn't include instructions for how to install the ".diff" attachement that they let you download. I tried just running it straight from a command line (like a .sh file) but it didn't work. Probably something easy I'm missing? This is the content of the file:

--- iptables.init 2004-09-17 11:41:31.000000000 +0100
+++ iptables.init.raw 2008-06-02 12:06:58.000000000 +0100
@@ -120,6 +120,11 @@
for i in $tables; do
echo -n "$i "
case "$i" in
+ raw)
+ $IPTABLES -t raw -P PREROUTING $policy \
+ && $IPTABLES -t raw -P OUTPUT $policy \
+ || let ret+=1
+ ;;
filter)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \

Cheers,

-Evan

negativeground · 03-22-2010, 03:24 PM

Also, you've already helped a lot, and I don't want to bug you, but...

Why do I need the "nat", "mangle", and "raw" entries in there anyways? What purpose do they serve?

win32sux · 03-22-2010, 04:13 PM

A diff is intended to be applied using the patch command. In this case, however, the diff is so small that you could easily do it by hand (it's still a good idea for you to learn to use the patch command later on, though). Basically, the lines begining with a plus sign mean that the line is to be added. The lines without a plus (or minus) sign are there to provide context, so you can know what the chunk you need to edit looks like. In this case, you're basically inserting this:

Code:

raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=1
;;

...right before the "filter)" line.

Those tables are included in the script I posted in order to make sure absolutely everything is clean and pristine, which is something I consider to be a good habit.