Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-09-2006, 07:01 AM
|
#1
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Rep:
|
adapting the configuration written by system-config-securitylevel
Hi!
I use FC on servers. the iptabels was made by the system-config-securitylevel. The file has things like
Quote:
-A RH-Firewall-1-INPUT...
|
at the biginning of each line.
I would like to write another iptables-file in form of a script file startinf with "#!/bin/sh" so that I can write command like "if" or "for" in it.
I was wondering: is actually better to make any change through the system-config-securitylevel or should one just write his own iptables without fearing to have a less good iptables than the one made by the system? In other words: can the system make all kind of konfigurations (I would like for example to have a file from which banned IPs will be read. For this I need a bash script in order to write an "if" or "for" command), or does it make sense not to use the system to write the iptables and to do it manually?
So my question is how should I do it, but does it make sense to do it manually?
thanks.
Last edited by xpucto; 11-09-2006 at 07:02 AM.
|
|
|
11-10-2006, 07:53 AM
|
#2
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.
|
|
|
11-10-2006, 09:33 AM
|
#3
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Original Poster
Rep:
|
Quote:
Originally Posted by macemoneta
The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.
|
Thanks for your answer!
If I have this configuration (from the system):
Quote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
|
I could based my new iptables on this file, only removing the "RH-Firewall-1-" parts and adding what I need to add.
So the base of my new iptables could looke like this:
Quote:
#!/bin/sh
set -e
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
echo "Flushing rules..."
$iptables -F
echo "Rules flushed."
echo "Loading kernel modules..."
$modprobe ip_tables
$modprobe ip_conntrack
$modprobe iptable_filter
$modprobe ipt_state
echo "Kernel modules loaded."
echo "Loading rules..."
$iptables -P INPUT ACCEPT
$iptables -A INPUT all -- anywhere anywhere
$iptables -A ACCEPT all -- anywhere anywhere
$iptables -A ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
$iptables -A REJECT all -- anywhere anywhere reject-with icmp-host-prohibite
$iptables -P FORWARD ACCEPT
$iptables -A INPUT all -- anywhere anywhere
$iptables -P OUTPUT ACCEPT
|
this should give me the same thing as the original system's configuration, am I right?
|
|
|
11-10-2006, 10:12 AM
|
#4
|
Senior Member
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
|
Yup, that should be a usable base.
|
|
|
All times are GMT -5. The time now is 06:10 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|