Re: [PLUG] IPTABLES CentOS 6.8

Robert on 29 Nov 2016 06:20:39 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] IPTABLES CentOS 6.8

From: Robert <mlists@zoominternet.net>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] IPTABLES CentOS 6.8
Date: Tue, 29 Nov 2016 09:20:34 -0500
Authentication-results: smtp02.armstrong.cmh.synacor.com smtp.user=mlists; auth=pass (LOGIN)
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
X_cmae_category: , ,
X_cmae_category: , ,

On 11/28/2016 11:00 PM, Ed Ackerman wrote:
> # Generated by iptables-save v1.4.7 on Sun Nov 27 16:13:04 2016
> *filter
> :FORWARD ACCEPT [0:0]
> :INPUT DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -s 11.222.333.444/32 -i eth0 -j ACCEPT
> -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
> -A INPUT -s 127.0.0.1/32 -j ACCEPT
> -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT <-- This one errors I think
> -A INPUT -p ipv6 -j ACCEPT
> -A INPUT -p gre -j ACCEPT
> -A INPUT -p esp -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -p udp -m udp --dport 68 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
> -A INPUT -p udp -m udp --dport 110 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
> -A INPUT -p udp -m udp --dport 123 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
> COMMIT
> # Completed on Sun Nov 27 16:13:04 2016
> # Generated by webmin
> *mangle
> :FORWARD ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> # Completed

The rule you list as causing the errors is USELESS in a STATELESS setup,
which is what you have configured.  You need a STATEFUL firewall for
this rule to have any meaning.  Without the NEW rules there is nothing
for this rule to do as NEW adds the connection to the tracking DB for
which this rule checks against.  Since you stated that you added it,
simply remove it and you should be back to normal.

Not sure what you are trying to accomplish with /-p ipv6, -p gre or -p
esp/ as I do not recognize what they are used for.  I'm going to assume
you are trying to allow IPv6 and IPTABLES has separate rules for IPv6 in
IP6TABLES.

You might want to consider revamping your rules for modern times.  What
you have above is a STATELESS firewall where a STATEFUL firewall would
be a better choice.  You should also take advantage of IPTABLES module
setup.  I'm not sure what you use this system for but I would question
if you really need all those ports open.

-- 

Regards,

Robert

Smile, it increases your face value.........

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] IPTABLES CentOS 6.8
  - From: Ed Ackerman <edack@kengel.com>
- Re: [PLUG] IPTABLES CentOS 6.8
  - From: Ed Ackerman <edack@kengel.com>

Prev by Date: Re: [PLUG] IPTABLES CentOS 6.8
Next by Date: Re: [PLUG] IPTABLES CentOS 6.8
Previous by thread: Re: [PLUG] IPTABLES CentOS 6.8
Next by thread: Re: [PLUG] IPTABLES CentOS 6.8
Index(es):
- Date
- Thread