iptables question

UnixGuyUnixGuy Are we having fun yet?Mod Posts: 4,251 Mod
I want to know which way is better in the RHCE exam, is it better to use port number or service name when writing an iptable rule ?


For example, I usually do this to write a rule for pop3s
[[email protected] /]# grep pop3s /etc/services
pop3s           995/tcp                         # POP-3 over SSL
pop3s           995/udp                         # POP-3 over SSL
[[email protected] /]# iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport 995 -j REJECT
[[email protected] /]# 
[[email protected] /]# iptables -A INPUT -s ! 192.168.1.0/24 -p udp --dport 995 -j REJECT
[[email protected] /]# 
[[email protected] /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  -- !192.168.1.0/24       anywhere            tcp dpt:pop3s reject-with icmp-port-unreachable 
REJECT     udp  -- !192.168.1.0/24       anywhere            udp dpt:pop3s reject-with icmp-port-unreachable 
[[email protected] /]# 



But I think this is easier to do:
[[email protected] /]# 
[[email protected] /]# iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport pop3s -j REJECT
[[email protected] /]# iptables -A INPUT -s ! 192.168.1.0/24 -p udp --dport pop3s -j REJECT
[[email protected] /]# 
[[email protected] /]# 
[[email protected] /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  -- !192.168.1.0/24       anywhere            tcp dpt:pop3s reject-with icmp-port-unreachable 
REJECT     udp  -- !192.168.1.0/24       anywhere            udp dpt:pop3s reject-with icmp-port-unreachable


is there any preferred way ? for those who took the RHCE and passed, which way did you use ? did you use the port number or the service name ?
Certs: GPEN, GCFA, CISM, CRISC, RHCE
In Progress: MBA

Comments

  • darkerosxxdarkerosxx Banned Posts: 1,343
    The RHCE is results-oriented, so as long as it works, do it the way you prefer to do it.

    I, personally, have never used aliases, just port numbers.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,251 Mod
    darkerosxx wrote: »
    The RHCE is results-oriented, so as long as it works, do it the way you prefer to do it.

    I, personally, have never used aliases, just port numbers.


    I think port numbers is a saftier bet, since some services tend to use random port numbers..I think for NFS I just make the port numbers static the disable them, I'm not sure how iptables would deal it.

    Thanks Darkerosxx.
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • /pub/beer//pub/beer/ Member Posts: 67 ■■■□□□□□□□
    UnixGuy wrote: »
    I think port numbers is a saftier bet, since some services tend to use random port numbers..I think for NFS I just make the port numbers static the disable them, I'm not sure how iptables would deal it.

    Thanks Darkerosxx.

    Like darkerosxx all that matters is that it works.

    I prefer port numbers and when in doubt I cat /etc/services | grep "name"

    For the most part any of the ports I need are memorized.

    To use NFS with a firewall you need to set the ports in the conf, then open the firewall for 111 (portmapper) the ports you set in the config along with 2049. And you'll want to allow both tcp and udp for those.

    Good luck on Saturday ;)
    Certification Goal:
    - ¯\_(ツ)_/¯
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,251 Mod
    /pub/beer/ wrote: »
    ...Good luck on Saturday ;)

    your exam's today, Good luck to you too ! let us know how it go icon_thumright.gif
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • /pub/beer//pub/beer/ Member Posts: 67 ■■■□□□□□□□
    UnixGuy wrote: »
    your exam's today, Good luck to you too ! let us know how it go icon_thumright.gif

    The most that I can say is that my experience was fun. ;)
    Certification Goal:
    - ¯\_(ツ)_/¯
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,251 Mod
    /pub/beer/ wrote: »
    The most that I can say is that my experience was fun. ;)

    Well mine was fun too, but..I made a huge stupid mistake in the middle of the exam that - I hope not - might make me fail ...or not. I'm not sure, but I certainly got some parts in the RHCE not working...


    now waiting the result icon_rolleyes.gif
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    I used port numbers as well. But thats mainly because port 22 was already open when I started editing the iptables conf file. I changed it on my box at home when I was running the gui. I now run in run level 3 all the time.

    Ohh but I am not studying for the RHCE yet!
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    I'm sure you'll get some good news icon_wink.gif

    Either way you've taken the exam and know what you are up against so being nervous won't play a factor if you had to take the exam again.
Sign In or Register to comment.