LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (http://www.linuxquestions.org/questions/red-hat-31/)
-   -   iptables in sysconfig?? (http://www.linuxquestions.org/questions/red-hat-31/iptables-in-sysconfig-372274/)

Mibble 10-12-2005 11:11 AM

iptables in sysconfig??
 
hi there,
my host, has not been the greatest on helping, has stated i can add info into my /etc/sysconfig/iptables file (which is not there)
i need to block ports 139 and 445 yet not touch anything else which may be blocked.
i tried using a script from iptables.net yet when i did, it blocked access to my sites via dreamweaver, and nothing could be uploaded.
this is what i used:
# import this saved configuration into your iptables configuration with the foll owing command:
# iptables-restore < web_server.config

*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT

*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j D ROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2082 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2086 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2089 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2095 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7


-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7


-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT

how can i go about doing this?

Brian1 10-12-2005 08:50 PM

From what I can tell it is not allowing those ports already.
Need more info.

How are you testing to see if the port is open?
Are you using nmap to check for open ports?
You are using the the localhost 127.0.0.1 to test against?

Is this a lan machine behind a cable/dsl router?
If it is then, and if you have another machine on the lan network, Install a portscan tool on it and scan the machine.

If there is no router between the machine and the modem then using one of the sites out there to portscan the machine. A good one is http://www.hackerwatch.org/probe/

Brian1

Mibble 10-12-2005 09:24 PM

Hi there,

the portion i used did not stay, thus there currently is no iptables in my sysconfig directory. what i need to do is add it, thus do i just add this portion as a file?
dreamweaver does not work when i ran the command:

iptables-restore < webserver_config

where webserver_config is the above info I posted.

Thanks for your hep.

jillande 10-12-2005 09:56 PM

Red Hat reads from /etc/sysconfig/iptables when you start the iptables service, i.e.:
Code:

service iptables start
. The file is not there by default since there are no iptables created by default.

If you load all of the iptables rules you want (i.e. run them on the command line) and export them with iptables-save, you can direct the output to /etc/sysconfig/iptables, i.e.
Code:

iptables-save > /etc/sysconfig/iptables
and when you boot (if iptables starts on boot) or when you start the iptables service, it will read from that file. Alternatively, if you put your file webserver_config in /etc/sysconfig/iptables and start iptables, it will read from the file.


If you just want to block ports 139 and 445, the "webserver_config" you have posted does more than just block those two ports. This line in particular: ":INPUT DROP [1:242]" looks like it will cause problems with connecting to your website (likely over ftp/port 21?).

Mibble 10-12-2005 10:04 PM

yes, that definitely happens, can no longer ftp. i want to be able to ftp, also use secure ftp so i appreciate the help. i took the sample file from iptables.net or something like that and added 2082, 2086, 2089. so i will remove the one you referenced. any others are appreciated on what i should remove.

jillande 10-13-2005 04:42 PM

if literally all you want to do is drop incoming ports 139 and 445, you can do something like this:

*filter
:INPUT ACCEPT [3763225:3207648184]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3607438:859001518]
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
COMMIT


this save file is all the commands you would use on the commandline, i.e. you can just type "iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP" and it will drop incoming packets on port 139. if you want to drop outgoing packets too, that requires just one more line. so if you want to test everything and make sure it works one line at a time, enter the commands in one at a time and then use "iptables-save > /etc/sysconfig/iptables" to save what you actually use.

ApachePadowan 10-16-2005 10:37 PM

No need for above
 
Actually, there is no need to make your firewall as insecure as above.

Go to iptablesrocks.org; the dude there has setup a fairly decent firewall which does not include ports 139.

As far as the ftp is concerned, you need to run the command

insmod ip_conntrack_ftp

If you get any errors (i.e. can't find ip_conntrack_ftp), run

locate ip_conntrack_ftp

If it finds the file, that means you have it, but for some reason insmod can't install it. For this you need to go and edit iptables-config

vi /etc/sysconfig/iptables-config (your path may vary upon distro)

You will find a parameter called IPTABLES_MODULES, you need to set this to

IPTABLES_MODULES="ip_conntrack_ftp"

Save and exit

(In case you don't know how to use vi that much, the command to save and exit is wq)

You then need to add this rule to your FORWARD chain

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Restart iptables; you should now be able to ftp with YOUR previous settings (plus the one I just gave you) without having to risk your machine.

_______________________________________________________

P.S. About vi, I put that up there because a lot of places tell you to "save and exit." For the longest time I would use the "sav" command, which if I was outside the directory, I had to add the path every time. It wasn't until I got it in my head to Google for a quick way to save and exit that I came accross the command wq, whict Writes the file and Quits... If you knew this, cool... if not, I hope I saved you (and anyone else reading this) a whole bunch of needless typing....


All times are GMT -5. The time now is 09:29 AM.