Visit the LQ Articles and Editorials section
Go Back > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Red Hat This forum is for the discussion of Red Hat Linux.


Search this Thread
Old 10-12-2005, 11:11 AM   #1
LQ Newbie
Registered: Mar 2005
Posts: 21

Rep: Reputation: 0
iptables in sysconfig??

hi there,
my host, has not been the greatest on helping, has stated i can add info into my /etc/sysconfig/iptables file (which is not there)
i need to block ports 139 and 445 yet not touch anything else which may be blocked.
i tried using a script from yet when i did, it blocked access to my sites via dreamweaver, and nothing could be uploaded.
this is what i used:
# import this saved configuration into your iptables configuration with the foll owing command:
# iptables-restore < web_server.config

:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]

:OUTPUT ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j D ROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

:INPUT DROP [1:242]
:icmp_packets - [0:0]
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2082 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2086 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2089 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2095 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7

-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7

-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

how can i go about doing this?
Old 10-12-2005, 08:50 PM   #2
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
From what I can tell it is not allowing those ports already.
Need more info.

How are you testing to see if the port is open?
Are you using nmap to check for open ports?
You are using the the localhost to test against?

Is this a lan machine behind a cable/dsl router?
If it is then, and if you have another machine on the lan network, Install a portscan tool on it and scan the machine.

If there is no router between the machine and the modem then using one of the sites out there to portscan the machine. A good one is

Old 10-12-2005, 09:24 PM   #3
LQ Newbie
Registered: Mar 2005
Posts: 21

Original Poster
Rep: Reputation: 0
Hi there,

the portion i used did not stay, thus there currently is no iptables in my sysconfig directory. what i need to do is add it, thus do i just add this portion as a file?
dreamweaver does not work when i ran the command:

iptables-restore < webserver_config

where webserver_config is the above info I posted.

Thanks for your hep.
Old 10-12-2005, 09:56 PM   #4
Registered: Oct 2003
Location: fargoh eh.
Distribution: slackware
Posts: 94

Rep: Reputation: 15
Red Hat reads from /etc/sysconfig/iptables when you start the iptables service, i.e.:
service iptables start
. The file is not there by default since there are no iptables created by default.

If you load all of the iptables rules you want (i.e. run them on the command line) and export them with iptables-save, you can direct the output to /etc/sysconfig/iptables, i.e.
iptables-save > /etc/sysconfig/iptables
and when you boot (if iptables starts on boot) or when you start the iptables service, it will read from that file. Alternatively, if you put your file webserver_config in /etc/sysconfig/iptables and start iptables, it will read from the file.

If you just want to block ports 139 and 445, the "webserver_config" you have posted does more than just block those two ports. This line in particular: ":INPUT DROP [1:242]" looks like it will cause problems with connecting to your website (likely over ftp/port 21?).
Old 10-12-2005, 10:04 PM   #5
LQ Newbie
Registered: Mar 2005
Posts: 21

Original Poster
Rep: Reputation: 0
yes, that definitely happens, can no longer ftp. i want to be able to ftp, also use secure ftp so i appreciate the help. i took the sample file from or something like that and added 2082, 2086, 2089. so i will remove the one you referenced. any others are appreciated on what i should remove.
Old 10-13-2005, 04:42 PM   #6
Registered: Oct 2003
Location: fargoh eh.
Distribution: slackware
Posts: 94

Rep: Reputation: 15
if literally all you want to do is drop incoming ports 139 and 445, you can do something like this:

:INPUT ACCEPT [3763225:3207648184]
:OUTPUT ACCEPT [3607438:859001518]
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP

this save file is all the commands you would use on the commandline, i.e. you can just type "iptables -A INPUT -p tcp -m tcp --dport 139 -j DROP" and it will drop incoming packets on port 139. if you want to drop outgoing packets too, that requires just one more line. so if you want to test everything and make sure it works one line at a time, enter the commands in one at a time and then use "iptables-save > /etc/sysconfig/iptables" to save what you actually use.
Old 10-16-2005, 10:37 PM   #7
LQ Newbie
Registered: Apr 2005
Location: FL
Distribution: Fedora Core 10
Posts: 25

Rep: Reputation: 15
No need for above

Actually, there is no need to make your firewall as insecure as above.

Go to; the dude there has setup a fairly decent firewall which does not include ports 139.

As far as the ftp is concerned, you need to run the command

insmod ip_conntrack_ftp

If you get any errors (i.e. can't find ip_conntrack_ftp), run

locate ip_conntrack_ftp

If it finds the file, that means you have it, but for some reason insmod can't install it. For this you need to go and edit iptables-config

vi /etc/sysconfig/iptables-config (your path may vary upon distro)

You will find a parameter called IPTABLES_MODULES, you need to set this to


Save and exit

(In case you don't know how to use vi that much, the command to save and exit is wq)

You then need to add this rule to your FORWARD chain


Restart iptables; you should now be able to ftp with YOUR previous settings (plus the one I just gave you) without having to risk your machine.


P.S. About vi, I put that up there because a lot of places tell you to "save and exit." For the longest time I would use the "sav" command, which if I was outside the directory, I had to add the path every time. It wasn't until I got it in my head to Google for a quick way to save and exit that I came accross the command wq, whict Writes the file and Quits... If you knew this, cool... if not, I hope I saved you (and anyone else reading this) a whole bunch of needless typing....


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
numbers in /etc/sysconfig/iptables sti2envy Linux - Security 1 10-06-2005 09:24 AM
iptables -P vs :OUTPUT in /etc/sysconfig/iptables TomF Linux - Security 2 04-14-2005 11:50 PM
etc/sysconfig/iptables file explinations Junior24 Linux - General 3 12-07-2004 02:35 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

All times are GMT -5. The time now is 10:06 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration