Re: Centos 7 (using iptables) removed firewalld

[Steve Frazier <sfrazier1111@xxxxxxxxx>]

 I left out the RTP for voip.  Here is my updated iptables-save

*mangle:PREROUTING ACCEPT [343:37719]:INPUT ACCEPT [238:19550]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [157:14766]:POSTROUTING ACCEPT [157:14766]COMMIT# Completed on Fri Jun  1 11:12:17 2018# Generated by iptables-save v1.4.21 on Fri Jun  1 11:12:17 2018*nat:PREROUTING ACCEPT [114:20124]:INPUT ACCEPT [7:670]:OUTPUT ACCEPT [13:1422]:POSTROUTING ACCEPT [0:0]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun  1 11:12:17 2018# Generated by iptables-save v1.4.21 on Fri Jun  1 11:12:17 2018*filter:INPUT DROP [2:1285]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [157:14766]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s mypublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myvoipprovider1-i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myvoipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -p udp -m state --state NEW -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun  1 11:12:17 2018~
Thanks again.




    On Friday, June 1, 2018, 11:05:10 AM EDT, Steve Frazier <sfrazier1111@xxxxxxxxx> wrote:  
 
  Thank you.  I apologize for sending something that could be read.  There are more examples in there that I had commented out.
Anyway,  here is my working iptables-save.  If someone could review my output and let me know if I am missing anything and if the order of the rules are the most secure they could be.
TIA.

Steve

# Generated by iptables-save v1.4.21 on Fri Jun  1 10:34:39 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun  1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun  1 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun  1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun  1 10:34:39 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun  1 10:34:39 2018~~

Steve




    On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth@xxxxxxxxx <m.roth@xxxxxxxxx> wrote:  
 
 Steve Frazier wrote:
>  Hello, 
> I hope that I can ask some questions on this mailing list about IPTables.
> I am more familiar with IPTABLES instead of FIREWALLD.  I disabled
> FIREWALLD and installed iptables-services.
> I have put together a script that I found on the web on how to set up a
> good set of IPTABLES rules to keep my server as secure as possible.
<snip>
That's *extremely* hard to read, esp. given that the numbered commands
would fail, as they don't seem to be comments.

Could you run it, and then give us the o/p of iptables-save?

    mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
    
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos