iptables Question

sunveersunveer Member Posts: 8 ■□□□□□□□□□
For RHCE exam, I want to know if I can enable the firewall in the setup > Firewall Configuration and then use the command

#iptables -F

and, then add the rules to the table.

or should I add to the default rules that are there when firewall is enabled?

Comments

  • hiddenknight821hiddenknight821 Member Posts: 1,209 ■■■■■■□□□□
    I'm afraid no one can answer that question directly due to NDA. icon_rolleyes.gif It's probably your best bet to memorize the "default" rules if they do exist.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    Well, the RHCE exam is nothing but a real working Red Hat system, so you should test that scenario in your own lab and see how it works ;)


    So you want to enable the default configuration of the firewall through the GUI and then flush out all the rules using "iptables -F", I don't understand why do you want to enable the default configuration only to flush it out?
  • sunveersunveer Member Posts: 8 ■□□□□□□□□□
    UnixGuy wrote: »
    Well, the RHCE exam is nothing but a real working Red Hat system, so you should test that scenario in your own lab and see how it works ;)


    So you want to enable the default configuration of the firewall through the GUI and then flush out all the rules using "iptables -F", I don't understand why do you want to enable the default configuration only to flush it out?

    So that I can add my own rules without any interference of others.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    sunveer wrote: »
    So that I can add my own rules without any interference of others.

    yes but why "enabling the default the configuration from the GUI" to begin with? you can simply disable it, and add your own rules. Firewall will work as long as the service is enabled. (/etc/init.d/iptables )
  • sunveersunveer Member Posts: 8 ■□□□□□□□□□
    UnixGuy wrote: »
    yes but why "enabling the default the configuration from the GUI" to begin with? you can simply disable it, and add your own rules. Firewall will work as long as the service is enabled. (/etc/init.d/iptables )

    After disabling firewall from setup when I check service iptables status, it says iptables: Firewall not running.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    Start the service:
    # service iptables start
    # chkconfig iptables on
    # chkconfig iptables --list
    
  • sunveersunveer Member Posts: 8 ■□□□□□□□□□
    UnixGuy wrote: »
    Start the service:
    # service iptables start
    # chkconfig iptables on
    # chkconfig iptables --list
    

    I have done this but still it says Firewall not running.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    Can you copy and paste the command that you run and the output error message?

    try this as well:
    [[email protected] ~]# /etc/init.d/iptables start
    Flushing firewall rules:                                   [  OK  ]
    Setting chains to policy ACCEPT: filter                    [  OK  ]
    Unloading iptables modules:                                [  OK  ]
    Applying iptables firewall rules:                          [  OK  ]
    Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
    [[email protected] ~]# 
    
  • sunveersunveer Member Posts: 8 ■□□□□□□□□□
    [[email protected] ~]# /etc/init.d/iptables start
    [[email protected] ~]# 
    [[email protected] ~]# /etc/init.d/iptables restart
    [[email protected] ~]# 
    
    
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    this is strange. can you check "/var/log/messages" and see if anything is logged?
  • sunveersunveer Member Posts: 8 ■□□□□□□□□□
    UnixGuy wrote: »
    this is strange. can you check "/var/log/messages" and see if anything is logged?

    Nothing is logged.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    can you try and disable SELinux and try again

    disable SELinux using "system-config-securitylevel" and change it to "disabled"
    [[email protected] ~]# system-config-securitylevel
    

    then try to restart the iptables service:
    [[email protected] ~]# service iptables restart
    Flushing firewall rules:                                   [  OK  ]
    Setting chains to policy ACCEPT: filter                    [  OK  ]
    Unloading iptables modules:                                [  OK  ]
    Applying iptables firewall rules:                          [  OK  ]
    Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
    [[email protected] ~]# 
    


    Any change?

    One more thing, can you post here the contents of this file /etc/sysconfig/iptables:
    [[email protected] sysconfig]# more /etc/sysconfig/iptables
    
  • AceRimmerAceRimmer Users Awaiting Email Confirmation Posts: 41 ■■□□□□□□□□
    There's no practical/sane reason to flush the rules.
    FW (iptables) is active by default after RH/CentOS/SL is installed with some default rules (SSH allowed in INPUT chain and last rule to REJECT everything not matched).
    Why would anybody want to flush that? You just add all you need to allow before REJECT rule.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    @AceRimmer: I actually do that at work when I harden a Linux server. I disable the firewall from the GUI, and I configure my own rules. First thing I do ( from a console) is make the default behavior to DROP everything (INPUT/OUTPUT/FORWARD), then I open the services the I want one by one.
  • onesaintonesaint Member Posts: 801
    UnixGuy wrote: »
    First thing I do ( from a console) is make the default behavior to DROP everything (INPUT/OUTPUT/FORWARD), then I open the services the I want one by one.

    This is how I was taught as well. Seal it all up, then only poke holes where needed.

    @Sunveer:

    if you disable iptables in setup, the init script wont start iptables and you'll need to enable it in setup again.
    [[email protected] ~]# /etc/init.d/iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 
    etc.          
    

    disable iptables and check status, then try to start iptables - fail.
    [[email protected] ~]# setup
    [[email protected] ~]# /etc/init.d/iptables status
    iptables: Firewall is not running.
    [[email protected] ~]# /etc/init.d/iptables start
    [[email protected] ~]# /etc/init.d/iptables status
    iptables: Firewall is not running.
    

    So you're stuck with either editing your ports in setuptools, run system-config-firewall if it's instaled, or using init and the shell. Bare in mind these tools don't place nice together (something I don't like about RHEL). So, if you use one tool, don't go messing with another otherwise your configuration will end up scrambled.

    One of my favorite iptales tricks is to use the iptables command to add new rules, test them (with ip traffic or whatnot), then if they don't work, just restart iptables without saving and the new rule is no longer present! Otherwise, save the rule with /etc/init.d/iptables save. Makes testing the firewall super easy.
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
  • sunveersunveer Member Posts: 8 ■□□□□□□□□□
    Thanks all for your support.

    I passed my RHCE. icon_cheers.gif
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    sunveer congratulations on the pass!!

    Please tell us how did you work out the iptables issue?

    Welcome to the forums! Update your profile and list your certs! hope to see you participating with us :)
  • sunveersunveer Member Posts: 8 ■□□□□□□□□□
    As I in my first post asked, I enabled firewall in setup and then remove the default rules so that they do not interfere with my services access and then add the custom rules as told in the questions.
  • log32log32 Users Awaiting Email Confirmation Posts: 217
    GG icon_wink.gif welcome to the RHCE club
  • coolmikucoolmiku Member Posts: 5 ■□□□□□□□□□
    sunveer wrote: »
    As I in my first post asked, I enabled firewall in setup and then remove the default rules so that they do not interfere with my services access and then add the custom rules as told in the questions.


    sunveer congratulations !! Just one question :


    Do i need to just flush and save iptables or do i need to disable, flush, save and chkconfig off for iptables? I will appreciate your help. Somehow I did flush and save and failed RHCE exam. Scored only 104 even though everything configured correctly and verified from base machine. don't know why I got only 104 not even close to 200.

    If anybody can clarify where I have made mistake then I would really appreciate your help and guidance.
  • prampram Member Posts: 171
    The init script flushes on stop/restart. You're going to want to put your custom rules in /etc/sysconfig/iptables
  • W StewartW Stewart Member Posts: 794 ■■■■□□□□□□
    Redhat isn't failing you, you're failing redhat. icon_lol.gif But in all seriousness, the way you said flushed then save almost sounds like you're saving a bunch of empty iptables rules. I haven't taken the exam but I'm pretty sure they'll want you to actually have some iptables rules present. I honestly wouldn't even bother flushing the iptables rules on the exam. The default iptables rules for a redhat box drops all incoming connections except for an ssh connection, icmp packets and any established or related connections so you're better off just modifying the rules that are already in place. Flushing the rules just allows you to forget something. Also, if you're going to make iptables changes at the command line then just edit the /etc/sysconfig/iptables file rather than using the iptables command. That way you don't have to worry about remembering to save the rules. Make a backup of the file just incase you mess something up and after making your changes just restart the iptables service.
    Being a sys admin sucks but I love it
  • W StewartW Stewart Member Posts: 794 ■■■■□□□□□□
    I see you're also spamming linuxquestions.org with your question coolmiku.
    Being a sys admin sucks but I love it
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,227 Mod
    W Stewart wrote: »
    Redhat isn't failing you, you're failing redhat. icon_lol.gif

    haha +1

    /thread
  • coolmikucoolmiku Member Posts: 5 ■□□□□□□□□□
    Thanks for the suggestions.
  • coolmikucoolmiku Member Posts: 5 ■□□□□□□□□□
    I have removed my post. Thanks for the explanation in the other form. I am referring the books as well. I know that I can add rules via GUI for each service but just in case I don't have enough time for troubleshooting each service then I can disable FW/IPtables. I don't want to spam any website but Just wanted to get some clarification to get answer as soon as I can.
Sign In or Register to comment.