Iptables

From ConShell
Jump to: navigation, search


Logging packets

The default ruleset that is installed on Red Hat and it's variants end in a line like this.

 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Which is good, but there is no way to know what it is rejecting! To log the same, add this line just above it

 -A RH-Firewall-1-INPUT -j LOG --log-prefix "REJECT-packet "

Now the rejected packets will be logged to /var/log/messages.

Default deny

The default firewall iptables ruleset (found in /etc/sysconfig/iptables)contains this last line...

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

This is good security practice but has a tendency to break things. Another line that appears above it has some nice consequences because it allows iptables to track state and allow inbound replies to established sessions, including UDP traffic (normally a stateless protocol).

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Some more examples

Permit SNMP queries from a monitoring server w.x.y.z

-A RH-Firewall-1-INPUT -p udp -m udp --source w.x.y.z/32 --dport 161 -j ACCEPT

Permit NTP traffic from our NTP server w.x.y.z

-A RH-Firewall-1-INPUT -p udp -m udp --source w.x.y.z/32 --dport 123 -j ACCEPT

Permit ping and other ICMP traffic

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

Permit tcp connections to our SSH daemon (port 22) from the 10/8 subnet

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 10.0.0.0/8 --dport 22 -j ACCEPT