iptables Question

For RHCE exam, I want to know if I can enable the firewall in the setup > Firewall Configuration and then use the command

#iptables -F

and, then add the rules to the table.

or should I add to the default rules that are there when firewall is enabled?

Find more posts tagged with

Comments

hiddenknight821

I'm afraid no one can answer that question directly due to NDA.

It's probably your best bet to memorize the "default" rules if they do exist.

UnixGuy

Well, the RHCE exam is nothing but a real working Red Hat system, so you should test that scenario in your own lab and see how it works

So you want to enable the default configuration of the firewall through the GUI and then flush out all the rules using "iptables -F", I don't understand why do you want to enable the default configuration only to flush it out?

sunveer

UnixGuy wrote: »

Well, the RHCE exam is nothing but a real working Red Hat system, so you should test that scenario in your own lab and see how it works

So you want to enable the default configuration of the firewall through the GUI and then flush out all the rules using "iptables -F", I don't understand why do you want to enable the default configuration only to flush it out?

So that I can add my own rules without any interference of others.

UnixGuy

sunveer wrote: »

So that I can add my own rules without any interference of others.

yes but why "enabling the default the configuration from the GUI" to begin with? you can simply disable it, and add your own rules. Firewall will work as long as the service is enabled. (/etc/init.d/iptables )

sunveer

UnixGuy wrote: »

yes but why "enabling the default the configuration from the GUI" to begin with? you can simply disable it, and add your own rules. Firewall will work as long as the service is enabled. (/etc/init.d/iptables )

After disabling firewall from setup when I check service iptables status, it says iptables: Firewall not running.

UnixGuy

Start the service:

# service iptables start
# chkconfig iptables on
# chkconfig iptables --list

sunveer

UnixGuy wrote: »

Start the service:

# service iptables start
# chkconfig iptables on
# chkconfig iptables --list

I have done this but still it says Firewall not running.

UnixGuy

Can you copy and paste the command that you run and the output error message?

try this as well:

[root@station1 ~]# /etc/init.d/iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
[root@station1 ~]#

sunveer

[root@server1 ~]# /etc/init.d/iptables start
[root@server1 ~]# 
[root@server1 ~]# /etc/init.d/iptables restart
[root@server1 ~]#

UnixGuy

this is strange. can you check "/var/log/messages" and see if anything is logged?

sunveer

UnixGuy wrote: »

this is strange. can you check "/var/log/messages" and see if anything is logged?

Nothing is logged.

UnixGuy

can you try and disable SELinux and try again

disable SELinux using "system-config-securitylevel" and change it to "disabled"

[root@station1 ~]# system-config-securitylevel

then try to restart the iptables service:

[root@station1 ~]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
[root@station1 ~]#

Any change?

One more thing, can you post here the contents of this file /etc/sysconfig/iptables:

[root@station1 sysconfig]# more /etc/sysconfig/iptables

AceRimmer

There's no practical/sane reason to flush the rules.
FW (iptables) is active by default after RH/CentOS/SL is installed with some default rules (SSH allowed in INPUT chain and last rule to REJECT everything not matched).
Why would anybody want to flush that? You just add all you need to allow before REJECT rule.

UnixGuy

@AceRimmer: I actually do that at work when I harden a Linux server. I disable the firewall from the GUI, and I configure my own rules. First thing I do ( from a console) is make the default behavior to DROP everything (INPUT/OUTPUT/FORWARD), then I open the services the I want one by one.

onesaint

UnixGuy wrote: »

First thing I do ( from a console) is make the default behavior to DROP everything (INPUT/OUTPUT/FORWARD), then I open the services the I want one by one.

This is how I was taught as well. Seal it all up, then only poke holes where needed.

@Sunveer:

if you disable iptables in setup, the init script wont start iptables and you'll need to enable it in setup again.

[root@cent1 ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 
etc.

disable iptables and check status, then try to start iptables - fail.

[root@cent1 ~]# setup
[root@cent1 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@cent1 ~]# /etc/init.d/iptables start
[root@cent1 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.

So you're stuck with either editing your ports in setuptools, run system-config-firewall if it's instaled, or using init and the shell. Bare in mind these tools don't place nice together (something I don't like about RHEL). So, if you use one tool, don't go messing with another otherwise your configuration will end up scrambled.

One of my favorite iptales tricks is to use the iptables command to add new rules, test them (with ip traffic or whatnot), then if they don't work, just restart iptables without saving and the new rule is no longer present! Otherwise, save the rule with /etc/init.d/iptables save. Makes testing the firewall super easy.

sunveer

Thanks all for your support.

I passed my RHCE.

UnixGuy

sunveer congratulations on the pass!!

Please tell us how did you work out the iptables issue?

Welcome to the forums! Update your profile and list your certs! hope to see you participating with us

sunveer

As I in my first post asked, I enabled firewall in setup and then remove the default rules so that they do not interfere with my services access and then add the custom rules as told in the questions.

log32

welcome to the RHCE club

coolmiku

sunveer wrote: »

As I in my first post asked, I enabled firewall in setup and then remove the default rules so that they do not interfere with my services access and then add the custom rules as told in the questions.

sunveer congratulations !! Just one question :

Do i need to just flush and save iptables or do i need to disable, flush, save and chkconfig off for iptables? I will appreciate your help. Somehow I did flush and save and failed RHCE exam. Scored only 104 even though everything configured correctly and verified from base machine. don't know why I got only 104 not even close to 200.

If anybody can clarify where I have made mistake then I would really appreciate your help and guidance.

pram

The init script flushes on stop/restart. You're going to want to put your custom rules in /etc/sysconfig/iptables

W Stewart

Redhat isn't failing you, you're failing redhat.

But in all seriousness, the way you said flushed then save almost sounds like you're saving a bunch of empty iptables rules. I haven't taken the exam but I'm pretty sure they'll want you to actually have some iptables rules present. I honestly wouldn't even bother flushing the iptables rules on the exam. The default iptables rules for a redhat box drops all incoming connections except for an ssh connection, icmp packets and any established or related connections so you're better off just modifying the rules that are already in place. Flushing the rules just allows you to forget something. Also, if you're going to make iptables changes at the command line then just edit the /etc/sysconfig/iptables file rather than using the iptables command. That way you don't have to worry about remembering to save the rules. Make a backup of the file just incase you mess something up and after making your changes just restart the iptables service.

W Stewart

I see you're also spamming linuxquestions.org with your question coolmiku.

UnixGuy

W Stewart wrote: »

Redhat isn't failing you, you're failing redhat.

haha +1

/thread

coolmiku

Thanks for the suggestions.

coolmiku

I have removed my post. Thanks for the explanation in the other form. I am referring the books as well. I know that I can add rules via GUI for each service but just in case I don't have enough time for troubleshooting each service then I can disable FW/IPtables. I don't want to spam any website but Just wanted to get some clarification to get answer as soon as I can.