Re: 2 basic iptables questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Peter,

Here's my take on it:
1) The /etc/sysconfig/iptables file is where your rules are contained (once you build them). I myself write a shell script that contains my rules, then run the script which builds them. I then do a service iptables save command, which will save the rules currently in /etc/sysconfig/iptables. I believe a backup of /etc/sysconfig/iptables.save is also created. 

Peter wrote:

Hi,

Two questions:

1) I understand the basics of the iptables command but I am having
trouble grasping how the various "scripts" go together.  I have a
CentOS (Red Hat) box set up and there is an init script
/etc/init.d/iptables.  There is also a support script
/etc/sysconfig/iptables-config.  I know also that 'service iptables
save' saves a ruleset file of the current ruleset inside
/etc/sysconfig/iptables.  My question is therefore "Where do I place my
main (and documented) ruleset file?".  I envision a file solely
containing a multitude of iptables commands but many files I find on
the net contain other commands as well.

2) I have inherited an iptables firewall and I'm trying to grok its
ruleset.  Here are the beginning lines of the output of 'cat
/etc/sysconfig/iptables':

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:log_and_drop - [0:0]
:service_chain - [0:0]
[0:0] -A INPUT -d 127.0.0.1 -j ACCEPT [0:0] -A INPUT -s 127.0.0.1 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -j service_chain [0:0] -A log_and_drop -j LOG --log-prefix "FWSERVER (Blocked Connection)" [0:0] -A log_and_drop -j REJECT --reject-with icmp-port-unreachable [0:0] -A service_chain -p icmp -j ACCEPT [0:0] -A service_chain -p icmp -j log_and_drop 
.
.
.
{ many more '[0:0] -A service_chain' lines }
COMMIT

My question here is how is the last rule ever matched?  If ICMP is seen
it will be accepted and the evaluation stops.  What is the meaning of
this line?  My guess is that it is there to log and then block unwanted
traffic (via the log_and_drop chain) but I do not see how it works. The ruleset is full of these line patterns.
I can't help you here. I would actually like to know more about the logging; however your guess looks correct. The one rule looks like it would be evaluated first then accepted. Unless the logging facility has special workings...
I typically drop everything, then open what I want. Since ICMP is dropped, do you really need to monitor it? 

Peter

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux