Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just started doing this myself on a new box (translation I'm a newbie to iptables).
During my RedHat install it prompted me for "firewall" and also additional ports to enable. Among other things I enabled ssh, 53 and 953 among others (for DNS as this will be a DNS server). The resulting iptables (seen with iptables -L) after the install completed:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rndc
ACCEPT udp -- anywhere anywhere state NEW udp dpt:rndc
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
^^^END OF IPTABLES -L OUTPUT^^^
The /etc/sysconfig/iptables file contained:
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 953 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 953 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Essentailly the lines seen in the latter are the commands givn to iptables to create the rules seen in the former (this file is acted by /etc/init.d/iptables start during a reboot to reenable the rules).
Later I realized I needed to open up port 1053 I did the following:
First deleted final reject rule:
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Added new rule for port 1053:
iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 1053 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 1053 -j ACCEPT
Readded the final reject rule:
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Note: This only adds the rule to running session. You can save this by
running iptables-save >/etc/sysconfig/iptables. You should then
run /etc/init.d/iptables stop then start so it rereads the new
iptables file.
(You could just edit the iptables file and do the stop/start but
there is a note in the file saying this isn't recommended.)
Use iptables -L afterwards to see running setup to verify it contains the new rule.
You can then run iptables-save >iptables-save.out to save a file like /etc/sysconfig/iptables which you'll want so that /etc/init.d/iptables can reload them on boot. I overwrote my /etc/sysconfig/iptables by doing iptables-save >/etc/sysconfig/iptables. (Of course I saved a copy of /etc/sysconfig/iptables first so I could back out if necessary.)
You basically just need to run the accept lines above for the ports you want. Also you can specify them by name (see /etc/services) instead of number. The list of rules above gives you a fair indication of locking down most ports. You can of course leave out any of the ones I enabled if you don't want them. I'd suggest you do enable ssh and use it rather than telnet (also use scp/sftp for file transfers rather than ftp).
As noted above is for my RedHat AS 3 installation. If you're on a different distro your iptables config file may be in a different location than /etc/sysconfig. /etc/init.d/iptables should give you a clue as to where it is.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.