LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Don't want to rely on RH-Firewall-1-INPUT in IPTables, how do I Modify? (https://www.linuxquestions.org/questions/linux-security-4/dont-want-to-rely-on-rh-firewall-1-input-in-iptables-how-do-i-modify-4175547500/)

JockVSJock 07-08-2015 07:30 AM
Don't want to rely on RH-Firewall-1-INPUT in IPTables, how do I Modify?
 
I've noticed that alot of folks here don't want to rely on the IPTable Rules for RH-Firewall-1-INPUT. On a fresh RHEL Server that I've deployed, I've selected a number of rules during the install phase and noticed that they all ended up under

Code:
Chain RH-Firewall-1-INPUT (2 references)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 255
3    ACCEPT    esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT    ah  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT    udp  --  0.0.0.0/0            224.0.0.251        udp dpt:5353
6    ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:631
7    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:631
8    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
9    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22
10  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:1158
11  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:1521
12  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:443
13  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:80
14  REJECT    all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited
(END)
I've also noticed that there is a rule under the Chain INPUT along with Chain FORWARD

Code:

Chain INPUT (policy ACCEPT)

5    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Code:

Chain FORWARD (policy ACCEPT)

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
My thinking is this, I don't want to rely on the RH-Firewall-1-INPUT rule either, so in order to fix this, I would have to do the following:


Add all of the rules that were under RH-Firewall-1-INPUT into the Chain INPUT

Code:


Chain RH-Firewall-1-INPUT (2 references)
num  target    prot opt source              destination
1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 255
3    ACCEPT    esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT    ah  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT    udp  --  0.0.0.0/0            224.0.0.251        udp dpt:5353
6    ACCEPT    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:631
7    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:631
8    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
9    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22
10  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:1158
11  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:1521
12  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:443
13  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:80
14  REJECT    all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

-Remove the following Chain FORWARD

Code:

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Is this thinking correct?

MensaWater 07-08-2015 09:32 AM
I believe you'd need the forward to go to your new INPUT now.

Why not just edit your iptables file to replace all RH-Firewall-1-INPUT references with just INPUT?

The iptables file is in /etc/sysconfig.

Make sure you run "service iptables restart" to make the new rules apply.

By the way RHEL6 uses INPUT rather than RH-Firewall-1-INPUT. Are you doing a fresh install on a RHEL5 or earlier? You really should NOT be using REHL5 as it will be going end of support within a year or so. RHEL7 has been out for more than a year and RHEL8 is probably coming in the not too distant future. Ideally you'd move to RHEL7 if possible but at least to RHEL6. (RHEL6 is still based on 2.6.x kernel, RHEL7 is using 3.x kernel).

JockVSJock 07-08-2015 10:52 AM
Quote:
Originally Posted by MensaWater (Post 5388820)

Why not just edit your iptables file to replace all RH-Firewall-1-INPUT references with just INPUT?
Right that is my goal here, I want to eliminate the RH-Firewall-1-INPUT and just use INPUT. I'm not sure how.


Quote:
Originally Posted by MensaWater (Post 5388820)
By the way RHEL6 uses INPUT rather than RH-Firewall-1-INPUT.
I was aware of this by the various posting on this forum.

Quote:
Originally Posted by MensaWater (Post 5388820)
Are you doing a fresh install on a RHEL5 or earlier? You really should NOT be using REHL5 as it will be going end of support within a year or so. RHEL7 has been out for more than a year and RHEL8 is probably coming in the not too distant future. Ideally you'd move to RHEL7 if possible but at least to RHEL6. (RHEL6 is still based on 2.6.x kernel, RHEL7 is using 3.x kernel).
I understand this, however my boss wants to stick with the solid and tested OS and wants to hold on till the bitter end. Kind of like Windows XP Users...


All times are GMT -5. The time now is 01:27 PM.