iptables question

UnixGuy

I want to know which way is better in the RHCE exam, is it better to use port number or service name when writing an iptable rule ?


For example, I usually do this to write a rule for pop3s

[root@linux-server /]# grep pop3s /etc/services
pop3s           995/tcp                         # POP-3 over SSL
pop3s           995/udp                         # POP-3 over SSL
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport 995 -j REJECT
[root@linux-server /]# 
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p udp --dport 995 -j REJECT
[root@linux-server /]# 
[root@linux-server /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  -- !192.168.1.0/24       anywhere            tcp dpt:pop3s reject-with icmp-port-unreachable 
REJECT     udp  -- !192.168.1.0/24       anywhere            udp dpt:pop3s reject-with icmp-port-unreachable 
[root@linux-server /]# 

But I think this is easier to do:

[root@linux-server /]# 
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport pop3s -j REJECT
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p udp --dport pop3s -j REJECT
[root@linux-server /]# 
[root@linux-server /]# 
[root@linux-server /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  -- !192.168.1.0/24       anywhere            tcp dpt:pop3s reject-with icmp-port-unreachable 
REJECT     udp  -- !192.168.1.0/24       anywhere            udp dpt:pop3s reject-with icmp-port-unreachable

is there any preferred way ? for those who took the RHCE and passed, which way did you use ? did you use the port number or the service name ?

darkerosxx

The RHCE is results-oriented, so as long as it works, do it the way you prefer to do it.

I, personally, have never used aliases, just port numbers.

UnixGuy

darkerosxx wrote: »

The RHCE is results-oriented, so as long as it works, do it the way you prefer to do it.

I, personally, have never used aliases, just port numbers.

I think port numbers is a saftier bet, since some services tend to use random port numbers..I think for NFS I just make the port numbers static the disable them, I'm not sure how iptables would deal it.

Thanks Darkerosxx.

/pub/beer/

UnixGuy wrote: »

I think port numbers is a saftier bet, since some services tend to use random port numbers..I think for NFS I just make the port numbers static the disable them, I'm not sure how iptables would deal it.

Thanks Darkerosxx.

Like darkerosxx all that matters is that it works.

I prefer port numbers and when in doubt I cat /etc/services | grep "name"

For the most part any of the ports I need are memorized.

To use NFS with a firewall you need to set the ports in the conf, then open the firewall for 111 (portmapper) the ports you set in the config along with 2049. And you'll want to allow both tcp and udp for those.

Good luck on Saturday

UnixGuy

/pub/beer/ wrote: »

...Good luck on Saturday

your exam's today, Good luck to you too ! let us know how it go

/pub/beer/

UnixGuy wrote: »

your exam's today, Good luck to you too ! let us know how it go

The most that I can say is that my experience was fun.

UnixGuy

/pub/beer/ wrote: »

The most that I can say is that my experience was fun.

Well mine was fun too, but..I made a huge stupid mistake in the middle of the exam that - I hope not - might make me fail ...or not. I'm not sure, but I certainly got some parts in the RHCE not working...


now waiting the result

Pash

I used port numbers as well. But thats mainly because port 22 was already open when I started editing the iptables conf file. I changed it on my box at home when I was running the gui. I now run in run level 3 all the time.

Ohh but I am not studying for the RHCE yet!

NightShade03

I'm sure you'll get some good news

Either way you've taken the exam and know what you are up against so being nervous won't play a factor if you had to take the exam again.