Re: Help an IPTABLES neophyte please | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
On Fri, May 9, 2008 5:01 pm, Rick Stevens wrote: > Paul Campbell wrote: >> Question for clarification on >> REDHAT iptables vs iptables >> >> It seems that there is something that translates an >> "abbreviated" iptables command-line and processes it. >> >> WHY ? The cmd line differences seem trivial. >> eg. >> > iptables -A INPUT -i lo -j ACCEPT >> -A RH-Firewall-1-INPUT -i lo -j ACCEPT > > Ok, you're getting confused. The first one you have is the actual > command used to ADD a rule to the iptables ruleset. It consists of the > command "iptables" followed by the appropriate parameters: > > "-A INPUT" means "append to end of the INPUT chain". Note that > "-I" would try to insert the rule between two existing rules > in the chain. E.g. "-I INPUT 12" would mean to insert THIS > rule BEFORE rule 12 in the INPUT chain. > > "-i lo" means "this refers to packets coming IN on the lo > (loopback) interface > > "-j ACCEPT" means to jump to the ACCEPT result, accepting the > packet > > The second line is an example of what's kept in /etc/sysconfig/iptables. > It consists of the same command parameters, but not the "iptables" > command itself. When the system boots, it runs a command: > > /sbin/iptables-restore </etc/sysconfig/iptables > > which reads the contents of /etc/sysconfig/iptables and essentially > feeds each line, one at a time, to the iptables command. Conversely, > you can run > > /sbin/iptables-save >/path/to/some/file > > which would save the EXISTING iptables rules to the file > "/path/to/some/file" in exactly the same format as found in > /etc/sysconfig/iptables. > > Most people find it easier to edit the /etc/sysconfig/iptables file to > insert rules between existing rules, then running > > service iptables restart > > to make them effective instead of running "iptables -L -n > --line-numbers" to get appropriate rule numbers and then using "iptables > -I" commands to insert the rules between existing rules. > > Also note that the system used to do > > /sbin/iptables-save >/etc/sysconfig/iptables > > when it shut down to save any rules inserted via the "iptables" command > directly so they'd reinserted at the next boot. I'm not sure that > happens anymore, but it used to. Check /etc/sysconfig/iptable-config and you'll find a parameter that allows saving on stop that defaults to no: IPTABLES_SAVE_ON_STOP="no" HTH Karl > > Now, as to the "-A RH-Firewall-1-INPUT" versus the "-A INPUT" bit, > you can create separate rulesets and name them however you want. > > system-config-securitylevel (which is run by the system installer) > creates a separate INPUT ruleset, called "RH-Firewall-1-INPUT" and > sticks its rules in it. Any rules set up by system-config-securitylevel > (at any time, not just at system installation) get stuffed into that > ruleset. > > The first rule that gets inserted into /etc/sysconfig/iptables by the > system installer is > > -A INPUT -j RH-Firewall-1-INPUT > > which causes the INPUT chain to unconditionally jump to the > "RH-Firewall-1-INPUT" ruleset. In my opinion, it's kinda silly. I > suppose you could insert rules for the INPUT chain BEFORE the rule above > that effect what you want to do, and leave the Red Hat ruleset alone. > > I generally find Red Hat's rules too simplistic for my uses, so I > generally chuck their entire ruleset and just use my own in the normal > "INPUT" chain. If I find I need to do something extra-special, then I > may create a separate ruleset, but I virtually NEVER jump to it > unconditionally...I usually have some criteria in the rule that has to > be met to jump to my special set. > > Hope that explains it. :-) > ---------------------------------------------------------------------- > - Rick Stevens, Systems Engineer rps2@xxxxxxxx - > - Hosting Consulting, Inc. - > - - > - Memory is the second thing to go, but I can't remember the first! - > ---------------------------------------------------------------------- > > _______________________________________________ > Redhat-install-list mailing list > Redhat-install-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/redhat-install-list > To Unsubscribe Go To ABOVE URL or send a message to: > redhat-install-list-request@xxxxxxxxxx > Subject: unsubscribe > -- Karl L. Pearson karlp@xxxxxxxxxxxxxxxx http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- The world is a dangerous place to live... not because of the people who are evil, but because of the people who don't do anything about it. - Albert Einstein --- "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- _______________________________________________ Redhat-install-list mailing list Redhat-install-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/redhat-install-list To Unsubscribe Go To ABOVE URL or send a message to: redhat-install-list-request@xxxxxxxxxx Subject: unsubscribe
[Home] [Red Hat Kickstart] [Fedora Users] [Red Hat General] [Red Hat Watch List] [Red Hat Development] [Samba List] [Kernel List] [Kernel Newbies] [Hot Springs] [Yosemite News]