Exact syntax and examples for RHEL iptables & Solaris ipfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have many tenants in our cloud using RHEL 5.x/6.x & Solaris x86:
some tenants enable/use iptables while some disable/don't;
similarly for Solaris x86 tenants.

I have a common service which I need to permit rules in iptables
(for RHEL VMs) regardless of whether the tenant is currently
using iptables or not (ie just leave the rules there & if one day
the tenant decides to enable/use iptables, the rules to allow the
common service will have been there).

Requirements:
==========
a) permit a rule to allow Tcp4120 from current tenant VM to 172.21.3.a
b) permit a rule to allow Tcp4118 from 172.21.3.a to the current tenant VM

By "current tenant VM", it needs to be applied on all the network
interfaces.

Are the commands below correct?
# /sbin/iptables -A RH-Firewall-1-OUTPUT -p tcp --dport 4120 -d 172.21.a.b
-j ACCEPT
# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 4118 -d localhost -j
ACCEPT
# /sbin/service iptables save   <== this creates /etc/sysconfig/iptables if
it's absent?


******************************************************************************************

Sorry this is off-topic for Solaris iptables but appreciate anyone who can
help*:*

I refer to examples in links below but I'm still confused:
  http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
  http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html


Q1:
So do I just add the following lines to the top (not the bottom, right? )
 of /etc/ipf/ipf.conf  ?
  pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to
"all_interfaces" port = 4118 keep state
 pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"
 to 172.21.a.b port = 4120 keep state

Q2:
What's the the purpose of "quick" in the above rules?  What's the
difference if it's absent or
present?

Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute
"all_interfaces" in the
above rules with actual global value: I reckon there must be an actual
Solaris implementation
value that refers to "all interfaces";  if there's none, let me know so
that I can repeat it four times
for all the four interfaces

Q4:
What's the purpose of "keep state"?  is it needed in my case?

Q5:
if ipf.conf is not present in /etc/ipf  folder, does this mean ipfilter (as
given by 'svcs -a |grep -i ipfilter') is offline?

Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one
day if ipfilter is onlined/used,
the rules will already be there?  If ipfilter is offline, no harm creating
ipf.conf, right?
Did I miss out anything in my assumptions?
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux