Re: Help an IPTABLES neophyte please

[Rick Stevens <ricks@xxxxxxxx>]

Paul Campbell wrote:
> Question for clarification on
> REDHAT iptables vs iptables
>
> It seems that there is something that translates an
> "abbreviated" iptables command-line and processes it.
>
> WHY ? The cmd line differences seem trivial.
> eg.
>  > iptables -A INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT

Ok, you're getting confused.  The first one you have is the actual
command used to ADD a rule to the iptables ruleset.  It consists of the
command "iptables" followed by the appropriate parameters:

	"-A INPUT" means "append to end of the INPUT chain".  Note that
	"-I" would try to insert the rule between two existing rules
	in the chain.  E.g. "-I INPUT 12" would mean to insert THIS
	rule BEFORE rule 12 in the INPUT chain.

	"-i lo" means "this refers to packets coming IN on the lo
	(loopback) interface

	"-j ACCEPT" means to jump to the ACCEPT result, accepting the
	packet

The second line is an example of what's kept in /etc/sysconfig/iptables.
It consists of the same command parameters, but not the "iptables"
command itself.  When the system boots, it runs a command:

	/sbin/iptables-restore </etc/sysconfig/iptables

which reads the contents of /etc/sysconfig/iptables and essentially
feeds each line, one at a time, to the iptables command.  Conversely,
you can run

	/sbin/iptables-save >/path/to/some/file

which would save the EXISTING iptables rules to the file 
"/path/to/some/file" in exactly the same format as found in
/etc/sysconfig/iptables.

Most people find it easier to edit the /etc/sysconfig/iptables file to
insert rules between existing rules, then running

	service iptables restart

 to make them effective instead of running "iptables -L -n
--line-numbers" to get appropriate rule numbers and then using "iptables
-I" commands to insert the rules between existing rules.

Also note that the system used to do

	/sbin/iptables-save >/etc/sysconfig/iptables

when it shut down to save any rules inserted via the "iptables" command
directly so they'd reinserted at the next boot.  I'm not sure that
happens anymore, but it used to.

Now, as to the "-A RH-Firewall-1-INPUT" versus the "-A INPUT" bit,
you can create separate rulesets and name them however you want.

system-config-securitylevel (which is run by the system installer)
creates a separate INPUT ruleset, called "RH-Firewall-1-INPUT" and
sticks its rules in it.  Any rules set up by system-config-securitylevel
(at any time, not just at system installation) get stuffed into that
ruleset.

The first rule that gets inserted into /etc/sysconfig/iptables by the
system installer is

	-A INPUT -j RH-Firewall-1-INPUT

which causes the INPUT chain to unconditionally jump to the
"RH-Firewall-1-INPUT" ruleset.   In my opinion, it's kinda silly.  I
suppose you could insert rules for the INPUT chain BEFORE the rule above
that effect what you want to do, and leave the Red Hat ruleset alone.

I generally find Red Hat's rules too simplistic for my uses, so I
generally chuck their entire ruleset and just use my own in the normal
"INPUT" chain.  If I find I need to do something extra-special, then I
may create a separate ruleset, but I virtually NEVER jump to it
unconditionally...I usually have some criteria in the rule that has to
be met to jump to my special set.

Hope that explains it.  :-)
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                       rps2@xxxxxxxx -
- Hosting Consulting, Inc.                                           -
-                                                                    -
-  Memory is the second thing to go, but I can't remember the first! -
----------------------------------------------------------------------

_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe