[Techtalk] iptables query - fairly ungent!
David Sumbler
david at aeolia.co.uk
Tue Sep 28 00:29:18 EST 2004
I've been reading the iptables HOWTO, and I think, at last, I'm
getting to understand how iptables works.
Naturally I have been looking at the firewall setup on my Fedora Core
1 system.
'ls /etc/sysconfig/iptables' shows:
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5801 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
However, 'iptables -L' shows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- clock3.redhat.com anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- clock1.redhat.com anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- clock2.redhat.com anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- clock1.redhat.com anywhere udp spt:ntp dpt:ntp
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5901
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:5801
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
The additional rules for clock?.redhat.com are inserted during boot,
and are OK (although there seems to be a superfluous line).
But rule 5 in the RH-Firewall-1-INPUT chain seems to me to be as
dangerous as it could be, and is an apparent misinterpretation of the
rule
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
shown in /etc/sysconfig/iptables. I would be happy with this rule.
Have I misunderstood something, or is my firewall really currently as
good as useless set up like this?
David
--
More information about the Techtalk
mailing list