Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Based on what you've posted, it looks like you're using a mangled iptables script (it looks like a part of a custom script combined with the fedora default). That script doesn't look like it would work. Please post the output of "iptables -vnL" so that we can be sure of what is going on. If you're having problems during boot, then you may need to start in single user mode and then modify the firewall rules. You can also shut off the firewall using "service iptables stop" which should make it more useable.
Hi, sorry for late reply. Here is the output of iptables -vnL. FYI, if i boot using single user mode which I add a "single" to the end of bootup script for the kernel statement it will boot into command prompt only. So the service iptables stop won't help here. Can chkconfig help ?
chain INPUT (policy Accept 2 packets, 64 bytes)
pkts byte target prot opt in out source destination
chain forward (policy Accept 0 packets, 0 bytes)
pkts byte target prot opt in out source destination
chain Output (policy accept 2 packets, 64 bytes)
pkts byte target prot opt in out source destination
Regards
Daniel
Quote:
Originally posted by Capt_Caveman Based on what you've posted, it looks like you're using a mangled iptables script (it looks like a part of a custom script combined with the fedora default). That script doesn't look like it would work. Please post the output of "iptables -vnL" so that we can be sure of what is going on. If you're having problems during boot, then you may need to start in single user mode and then modify the firewall rules. You can also shut off the firewall using "service iptables stop" which should make it more useable.
Hi, have you talk a look at my iptables ? I can login linux finally after i disable iptables startup. Thanks
Regards
Daniel
Quote:
Originally posted by Capt_Caveman Based on what you've posted, it looks like you're using a mangled iptables script (it looks like a part of a custom script combined with the fedora default). That script doesn't look like it would work. Please post the output of "iptables -vnL" so that we can be sure of what is going on. If you're having problems during boot, then you may need to start in single user mode and then modify the firewall rules. You can also shut off the firewall using "service iptables stop" which should make it more useable.
To be honest, I'm not sure what script or rules you're using. The firewall you posted here is total garbage and won't work. Packets on the INPUT chain are never handed to the RH-firewall-1-input chain and your default INPUT policy is DROP, so even traffic on lo is dropped which is why the system is acting bizarre. You need to read the directions I've given you and follow them exactly. You're making signifiicant modifications to critical portions of your system, so you need to very carefull and pay attention to detail when doing this.
Start by replacing the /etc/sysconfig/iptables file with the backup version (you did make the backup right?)
Then restart iptables with 'service iptables start' (the system should function normally again)
Then follow the directions that have been posted in the thread.
Hi, I did add some of the rules you gave and also modify some. The reason I drop the default input chain is that whatever packets not comply to the input chain will be dropped. Is there any flow/structure that I should follow in designing iptables ?
Rgds
Daniel
Quote:
Originally posted by Capt_Caveman To be honest, I'm not sure what script or rules you're using. The firewall you posted here is total garbage and won't work. Packets on the INPUT chain are never handed to the RH-firewall-1-input chain and your default INPUT policy is DROP, so even traffic on lo is dropped which is why the system is acting bizarre. You need to read the directions I've given you and follow them exactly. You're making signifiicant modifications to critical portions of your system, so you need to very carefull and pay attention to detail when doing this.
Start by replacing the /etc/sysconfig/iptables file with the backup version (you did make the backup right?)
Then restart iptables with 'service iptables start' (the system should function normally again)
Then follow the directions that have been posted in the thread.
The reason I drop the default input chain is that whatever packets not comply to the input chain will be dropped.
Setting the default policy to drop is fine, however you don't have any rules in the INPUT chain that accept any traffic. All of the rules that accept packets are part of the RH-firewall-1-input chain and you never connect INPUT and RH-firewall-1-input together. So the RH-firewall-1-input chain does nothing because it never sees any packets and as a result, your firewall will never accept any incoming packets at all.
You can't just mix and match sets of iptables rules like that. There is a definite order to the flow of iptables and I would strongly suggest that you use a set of rules that have been designed by someone who understands iptables or at the very least use one of their rulesets as a guide until you understand it better. If you'd like to read up on iptables here are some HOWTOs that might help:
I thought that RH-firewall-1-input chain is similar to INPUT. What is the different ? I saw most of the article doesn't have RH-firewall-1-input chain. Correct me if i'm wrong. Is it ok to use the rules set by you earlier as guide ?
Rgds
Daniel
Quote:
Originally posted by Capt_Caveman The reason I drop the default input chain is that whatever packets not comply to the input chain will be dropped.
Setting the default policy to drop is fine, however you don't have any rules in the INPUT chain that accept any traffic. All of the rules that accept packets are part of the RH-firewall-1-input chain and you never connect INPUT and RH-firewall-1-input together. So the RH-firewall-1-input chain does nothing because it never sees any packets and as a result, your firewall will never accept any incoming packets at all.
You can't just mix and match sets of iptables rules like that. There is a definite order to the flow of iptables and I would strongly suggest that you use a set of rules that have been designed by someone who understands iptables or at the very least use one of their rulesets as a guide until you understand it better. If you'd like to read up on iptables here are some HOWTOs that might help:
I thought that RH-firewall-1-input chain is similar to INPUT. What is the different ?
It's designed to handled incoming traffic like the INPUT chain. However it is a custom "user-defined chain" and not one of the standard built-in chains (like INPUT. FORWARD, OUTPUT). For the RH-firewall-1-input chain to function properly, you need to pass packets from the input chain onto RH-firewall-1-input. You do that by using RH-firewall-1-input as a target in the INPUT chain, like this:
Code:
iptables -A INPUT -j RH-firewall-1-input
By doing that, the packets will be handed from the INPUT chain to RH-firewall-1-input. Otherwise the packets will only go through the INPUT chain and never through RH-firewall-1-input. If you look at your 2nd post in this thread, you can see that the original firewall you were using actually did that:
Quote:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2049 1998K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0. 0.0.0/0
I saw most of the article doesn't have RH-firewall-1-input chain.
The RH-firewall-1-input chain is only used by Redhat and other distros that are based off Redhat/Fedora.
Is it ok to use the rules set by you earlier as guide?
Yes, but I would use the whole thing until you understand iptables better.
Hi, what do you mean by based off Redhat/Fedora ? So if i cut and paste is it ok ?
Regards
Daniel
Quote:
Originally posted by Capt_Caveman I thought that RH-firewall-1-input chain is similar to INPUT. What is the different ?
It's designed to handled incoming traffic like the INPUT chain. However it is a custom "user-defined chain" and not one of the standard built-in chains (like INPUT. FORWARD, OUTPUT). For the RH-firewall-1-input chain to function properly, you need to pass packets from the input chain onto RH-firewall-1-input. You do that by using RH-firewall-1-input as a target in the INPUT chain, like this:
Code:
iptables -A INPUT -j RH-firewall-1-input
By doing that, the packets will be handed from the INPUT chain to RH-firewall-1-input. Otherwise the packets will only go through the INPUT chain and never through RH-firewall-1-input. If you look at your 2nd post in this thread, you can see that the original firewall you were using actually did that:
I saw most of the article doesn't have RH-firewall-1-input chain.
The RH-firewall-1-input chain is only used by Redhat and other distros that are based off Redhat/Fedora.
Is it ok to use the rules set by you earlier as guide?
Yes, but I would use the whole thing until you understand iptables better.
Hi, what do you mean by based off Redhat/Fedora?
A number of distros are built using Redhat as a core and make various modifications. CentOS and Whitebox are examples of distros that are basically clones of Redhat versions.
So if i cut and paste is it ok ?
Yes. In fact that's probably the best way.
If i cut and paste your sample, then what about the user defined custom REDHAT input chain ?
Regards
Daniel
Quote:
Originally posted by Capt_Caveman Hi, what do you mean by based off Redhat/Fedora?
A number of distros are built using Redhat as a core and make various modifications. CentOS and Whitebox are examples of distros that are basically clones of Redhat versions.
So if i cut and paste is it ok ?
Yes. In fact that's probably the best way.
Those will need to be deleted. If you follow the directions I posted here then it will do that for you. I would recommend that you do not edit the /etc/sysconfig/iptables file directly.
Hi, I do not understand how that previous discussion would delete those user defined chain and why not directly modify the iptables. That discusion only describe how to make backup and execute it. A bit confused on why need to be deleted now. Please explain ? Thanks
Regards
Daniel
Quote:
Originally posted by Capt_Caveman Those will need to be deleted. If you follow the directions I posted here then it will do that for you. I would recommend that you do not edit the /etc/sysconfig/iptables file directly.
See the man page for iptables (man iptables). Specifically the -X option.
The /etc/sysconfig/iptables file is sensitive to formating, so you should really only use the command 'iptables-save > /etc/sysconfig/iptables' to save rules to that file. The command 'service iptables save' just does the same thing. Directly editing it can cause problems that are hard to troubleshoot. For example, not having carrriage returns at proper parts of the file can cause the rules to fail to load even though the rules technically look correct.
Firstly, do you mean using -X option for iptables can automatically deleted those user defined chains ? So in order not to direct editing it, I have to create a backup file ,edit it and make it executable and try loading it to ensure it is ok , right ? If it is ok, then I iptables-save > /etc/sysconfig/iptables and load at bootup ?
Regards
Daniel
Quote:
Originally posted by Capt_Caveman See the man page for iptables (man iptables). Specifically the -X option.
The /etc/sysconfig/iptables file is sensitive to formating, so you should really only use the command 'iptables-save > /etc/sysconfig/iptables' to save rules to that file. The command 'service iptables save' just does the same thing. Directly editing it can cause problems that are hard to troubleshoot. For example, not having carrriage returns at proper parts of the file can cause the rules to fail to load even though the rules technically look correct.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.