LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 04-26-2006, 10:35 AM   #1
rookiepaul
Member
 
Registered: Jul 2005
Location: London
Distribution: Debian, RedHat, Ubuntu
Posts: 73

Rep: Reputation: 15
Iptables, RH-Firewall and ssh.


Guys,

I'm trying to create an initial script for a firewall. I've been looking at the default configuration for FC4 on my laptop and saw this:

-A RH-Firewall-l-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT.

I have a couple of questions. What is RH-Firewall? Sorry if it's a newbie question but I couldn't find a definition on the net. Also, if have a mostly closed firewall, how can you only allow ssh? I've found one method that works but it's a bit long winded:

iptables -A INPUT -i eth0 -p TCP --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 1024:65535 -j ACCEPT

(adapted from another script)

Is there anyway I can get it to do that similarly to the RH-Firewall method?

Cheers

Rookie.
 
Old 04-27-2006, 08:22 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
What is RH-Firewall?
It's a 'user-defined" chain used by Redhat's firewall. The default INPUT and I believe OUPUT chains are dumped into the RH-FIREWALL chain where the various filtering rules are found.

Also, if have a mostly closed firewall, how can you only allow ssh? I've found one method that works but it's a bit long winded:
iptables -A INPUT -i eth0 -p TCP --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 1024:65535 -j ACCEPT


I'm not a big fan of trying to do it that way. I like to take advantage of the state tracking capability of iptables and use a rule that allows packets that are ESTABLISHED,RELATED which will allow all the reply traffic without having to blindly allow huge portions of the ephemeral port range (1024:65535). To keep the firewall strict, you only allow packets that match the NEW state for only the ports that you want (like ssh). With the firewall configured in that way, you will be allowing *all* reply traffic, but you can only reply to something that makes it through the rules allowing NEW connections. To tighten even further, you can use the ESTABLISHED,RELATED match on a port by port basis like:
Code:
iptables -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT 

instead of just using:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
iptables and firewall J4b0l Linux - Security 5 10-10-2005 08:02 AM
iptables vs. rc.firewall FiveFlat Linux - Security 2 08-13-2004 03:39 PM
IPTABLES firewall Vs rc firewall netguy2000 Linux - Security 7 02-28-2004 04:31 AM
Firewall/iptables brentos Linux - Security 14 11-25-2003 05:47 PM


All times are GMT -5. The time now is 11:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration