Re: /etc/sysconfig/iptables on a stock CentOS 5 install

mouss <mouss@xxxxxxxxxxx> · Tue, 26 Feb 2008 22:36:44 +0100

Tom Laramee wrote:

Greetings:

i have a pretty stock CentOS 5 machine with ports 80 and 22 exposed, so
my /etc/sysconfig/iptables file is pretty standard/straightforward.

my question is:  how is this config file initially generated?  i'd 
like to
re-create it, and add a couple of rules .... so i don't want to lose 
what's
in there already.

i see that my /etc/sysconfig/system-config-securitylevel has three 
entries,
which explains how the port 80 and 22 rules get into the config:

    --enabled
    --port=22:tcp
    --port=80:tcp

... and i see the basic /etc/sysconfig/iptables-config file, but i'm 
unclear
as to how the rest of the stuff gets in there: e.g.:

    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
22 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
80 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT

if you only want to add few simple rules, and if you know about iptables 
syntax, you can do something like
# iptables-save > iptables.tmp
edit the resulting files to adjust to your needs, then load it:
# iptables-restore < iptables.tmp
once you're happy, _backup_ /etc/sysconfig/iptables and do
# iptables-save > /etc/sysconfig/iptables

Alternatively, use one of the available scripts or tools to create your 
configuration.

In any case, be aware that a misconfiguration could result in blocking 
your own access. so better test on a machine not far from you.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos