Comments on: CentOS / Redhat Iptables Firewall Configuration Tutorial http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/ Every answer asks a more beautiful question. Sun, 21 Mar 2010 09:24:14 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Vivek Gite http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-45510 Vivek Gite Mon, 11 Jan 2010 04:41:06 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-45510 @pd, Thanks, I've commented out those lines in script, since output policy is set to established. HTH @pd,

Thanks, I’ve commented out those lines in script, since output policy is set to established.

HTH

]]> By: pd http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-45507 pd Mon, 11 Jan 2010 01:55:00 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-45507 Yes, I found the problem in below lines, OUTPUT should be with "-o" not "-i" <pre># allow incomming ICMP ping pong stuff $IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow port 53 tcp/udp (DNS Server) $IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -i ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT</pre> Vivek need to update this script. Yes, I found the problem in below lines, OUTPUT should be with “-o” not “-i”

# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

Vivek need to update this script.

]]> By: pd http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-45506 pd Mon, 11 Jan 2010 01:44:03 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-45506 I run this firewall script on centos 5.4 and got these errors <pre>[root@localhost scripts]# ./iptables.sh Setting sysctl IPv4 settings... net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 error: "net.ipv4.icmp_ignore_bogus_error_messages" is an unknown key net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 kernel.exec-shield = 1 kernel.randomize_va_space = 1 Starting IPv4 Firewall... iptables v1.3.5: Can't use -i with OUTPUT Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: Can't use -i with OUTPUT Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: Can't use -i with OUTPUT Try `iptables -h' or 'iptables --help' for more information.</pre> I run this firewall script on centos 5.4 and got these errors

[root@localhost scripts]# ./iptables.sh
Setting sysctl IPv4 settings...
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
error: "net.ipv4.icmp_ignore_bogus_error_messages" is an unknown key
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 1
Starting IPv4 Firewall...
iptables v1.3.5: Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.
]]> By: gorfou http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-44732 gorfou Tue, 17 Nov 2009 16:48:09 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-44732 Hi, I am trying to install a custom iptables configuration within a fresh centos/kickstart install. I have my custom package which installs the file /etc/sysconfig/iptables during kickstart installation. However, this file is erased by the default one upon first reboot. Does anyone know what script is responsible for resetting it ? Hi,
I am trying to install a custom iptables configuration within a fresh centos/kickstart install.
I have my custom package which installs the file /etc/sysconfig/iptables during kickstart installation.
However, this file is erased by the default one upon first reboot.

Does anyone know what script is responsible for resetting it ?

]]> By: yoander (sedlav) http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-44565 yoander (sedlav) Tue, 10 Nov 2009 14:35:41 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-44565 <a href="http://easyfwgen.morizot.net/gen/index.php" rel="nofollow">Easy Firewall Generator for IPTables</a> is an iptables script generator, you can play with different options is an excellent tool for newbie. Easy Firewall Generator for IPTables is an iptables script generator, you can play with different options is an excellent tool for newbie.

]]> By: Vivek Gite http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-44563 Vivek Gite Tue, 10 Nov 2009 14:11:15 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-44563 @Marcus, I don't think so there are any such program under Linux. Almost all network program open privileged or unprivileged ports. You can run netstat program to find out port number and add rule manually. @Marcus,

I don’t think so there are any such program under Linux. Almost all network program open privileged or unprivileged ports. You can run netstat program to find out port number and add rule manually.

]]> By: Marcus http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-44562 Marcus Tue, 10 Nov 2009 13:50:39 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-44562 I'm curious, can you set it up so a certain program is authorized to send/receive data? This is a feature of the Windows Firewall. It makes it easier for programs that don't publish the ports they work on. I’m curious, can you set it up so a certain program is authorized to send/receive data? This is a feature of the Windows Firewall. It makes it easier for programs that don’t publish the ports they work on.

]]> By: Bill Baily http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/comment-page-1/#comment-44554 Bill Baily Tue, 10 Nov 2009 12:16:42 +0000 http://www.cyberciti.biz/faq/?p=5721#comment-44554 No mention of *all* the tables then. Mmmm. Perhaps this is just an iptable (rather than an iptables) guide, :-P No mention of *all* the tables then. Mmmm. Perhaps this is just an iptable (rather than an iptables) guide, :-P

]]>