LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-09-2006, 07:01 AM   #1
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Rep: Reputation: 31
adapting the configuration written by system-config-securitylevel


Hi!

I use FC on servers. the iptabels was made by the system-config-securitylevel. The file has things like
Quote:
-A RH-Firewall-1-INPUT...
at the biginning of each line.
I would like to write another iptables-file in form of a script file startinf with "#!/bin/sh" so that I can write command like "if" or "for" in it.
I was wondering: is actually better to make any change through the system-config-securitylevel or should one just write his own iptables without fearing to have a less good iptables than the one made by the system? In other words: can the system make all kind of konfigurations (I would like for example to have a file from which banned IPs will be read. For this I need a bash script in order to write an "if" or "for" command), or does it make sense not to use the system to write the iptables and to do it manually?
So my question is how should I do it, but does it make sense to do it manually?


thanks.

Last edited by xpucto; 11-09-2006 at 07:02 AM.
 
Old 11-10-2006, 07:53 AM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.
 
Old 11-10-2006, 09:33 AM   #3
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by macemoneta
The system-config-securitylevel tool builds very basic/trivial firewall configurations. I personally never use it, and build manually. The only thing you need to keep in mind is not to use system-config-securitylevel on the firewall (SELinux part is independent; should really be a separate tool), or it will trash your manually created configuration.
Thanks for your answer!
If I have this configuration (from the system):
Quote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I could based my new iptables on this file, only removing the "RH-Firewall-1-" parts and adding what I need to add.
So the base of my new iptables could looke like this:
Quote:
#!/bin/sh
set -e

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"

echo "Flushing rules..."
$iptables -F
echo "Rules flushed."

echo "Loading kernel modules..."
$modprobe ip_tables
$modprobe ip_conntrack
$modprobe iptable_filter
$modprobe ipt_state
echo "Kernel modules loaded."

echo "Loading rules..."

$iptables -P INPUT ACCEPT
$iptables -A INPUT all -- anywhere anywhere

$iptables -A ACCEPT all -- anywhere anywhere
$iptables -A ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
$iptables -A REJECT all -- anywhere anywhere reject-with icmp-host-prohibite

$iptables -P FORWARD ACCEPT
$iptables -A INPUT all -- anywhere anywhere

$iptables -P OUTPUT ACCEPT
this should give me the same thing as the original system's configuration, am I right?
 
Old 11-10-2006, 10:12 AM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
Yup, that should be a usable base.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
system-config-securitylevel no longer allows me to add ports to allow. KTheorem Linux - Security 4 08-29-2006 11:56 PM
system-config-securitylevel won't run cdf22728 Linux - Security 2 07-21-2006 12:43 PM
How to enable Active FTP in system-config-securitylevel phil81uk Linux - Newbie 5 12-12-2005 03:39 AM
system-config-securitylevel mnauta Fedora 2 11-20-2004 04:45 PM
Set up dcc and timeserver with system-config-securitylevel fedetxf Fedora 0 08-17-2004 07:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration