Options

iptables question

UnixGuyUnixGuy Mod Posts: 4,564 Mod
in LPI, Red Hat & Linux Foundation
I want to know which way is better in the RHCE exam, is it better to use port number or service name when writing an iptable rule ?


For example, I usually do this to write a rule for pop3s
[root@linux-server /]# grep pop3s /etc/services
pop3s           995/tcp                         # POP-3 over SSL
pop3s           995/udp                         # POP-3 over SSL
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport 995 -j REJECT
[root@linux-server /]# 
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p udp --dport 995 -j REJECT
[root@linux-server /]# 
[root@linux-server /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  -- !192.168.1.0/24       anywhere            tcp dpt:pop3s reject-with icmp-port-unreachable 
REJECT     udp  -- !192.168.1.0/24       anywhere            udp dpt:pop3s reject-with icmp-port-unreachable 
[root@linux-server /]#


But I think this is easier to do:
[root@linux-server /]# 
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport pop3s -j REJECT
[root@linux-server /]# iptables -A INPUT -s ! 192.168.1.0/24 -p udp --dport pop3s -j REJECT
[root@linux-server /]# 
[root@linux-server /]# 
[root@linux-server /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  -- !192.168.1.0/24       anywhere            tcp dpt:pop3s reject-with icmp-port-unreachable 
REJECT     udp  -- !192.168.1.0/24       anywhere            udp dpt:pop3s reject-with icmp-port-unreachable


is there any preferred way ? for those who took the RHCE and passed, which way did you use ? did you use the port number or the service name ?
Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

Learn GRC! GRC Mastery : https://grcmastery.com 

· Share on FacebookShare on Twitter

Comments

  • Options
    darkerosxxdarkerosxx Banned Posts: 1,343
    The RHCE is results-oriented, so as long as it works, do it the way you prefer to do it.

    I, personally, have never used aliases, just port numbers.
    · Share on FacebookShare on Twitter
  • Options
    UnixGuyUnixGuy Mod Posts: 4,564 Mod
    darkerosxx wrote: »
    The RHCE is results-oriented, so as long as it works, do it the way you prefer to do it.

    I, personally, have never used aliases, just port numbers.


    I think port numbers is a saftier bet, since some services tend to use random port numbers..I think for NFS I just make the port numbers static the disable them, I'm not sure how iptables would deal it.

    Thanks Darkerosxx.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

    · Share on FacebookShare on Twitter
  • Options
    /pub/beer//pub/beer/ Member Posts: 67 ■■■□□□□□□□
    UnixGuy wrote: »
    I think port numbers is a saftier bet, since some services tend to use random port numbers..I think for NFS I just make the port numbers static the disable them, I'm not sure how iptables would deal it.

    Thanks Darkerosxx.

    Like darkerosxx all that matters is that it works.

    I prefer port numbers and when in doubt I cat /etc/services | grep "name"

    For the most part any of the ports I need are memorized.

    To use NFS with a firewall you need to set the ports in the conf, then open the firewall for 111 (portmapper) the ports you set in the config along with 2049. And you'll want to allow both tcp and udp for those.

    Good luck on Saturday ;)
    Certification Goal:
    - ¯\_(ツ)_/¯
    · Share on FacebookShare on Twitter
  • Options
    UnixGuyUnixGuy Mod Posts: 4,564 Mod
    /pub/beer/ wrote: »
    ...Good luck on Saturday ;)

    your exam's today, Good luck to you too ! let us know how it go icon_thumright.gif
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

    · Share on FacebookShare on Twitter
  • Options
    /pub/beer//pub/beer/ Member Posts: 67 ■■■□□□□□□□
    UnixGuy wrote: »
    your exam's today, Good luck to you too ! let us know how it go icon_thumright.gif

    The most that I can say is that my experience was fun. ;)
    Certification Goal:
    - ¯\_(ツ)_/¯
    · Share on FacebookShare on Twitter
  • Options
    UnixGuyUnixGuy Mod Posts: 4,564 Mod
    /pub/beer/ wrote: »
    The most that I can say is that my experience was fun. ;)

    Well mine was fun too, but..I made a huge stupid mistake in the middle of the exam that - I hope not - might make me fail ...or not. I'm not sure, but I certainly got some parts in the RHCE not working...


    now waiting the result icon_rolleyes.gif
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

    · Share on FacebookShare on Twitter
  • Options
    PashPash Member Posts: 1,600 ■■■■■□□□□□
    I used port numbers as well. But thats mainly because port 22 was already open when I started editing the iptables conf file. I changed it on my box at home when I was running the gui. I now run in run level 3 all the time.

    Ohh but I am not studying for the RHCE yet!
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
  • Options
    NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    I'm sure you'll get some good news icon_wink.gif

    Either way you've taken the exam and know what you are up against so being nervous won't play a factor if you had to take the exam again.
    Modular Learning - Learn Something New

    SE Notebook
    · Share on FacebookShare on Twitter
Sign In or Register to comment.