CentOS - Feb 2008 - /etc/sysconfig/iptables on a stock CentOS 5 install

Greetings:

i have a pretty stock CentOS 5 machine with ports 80 and 22 exposed, so
my /etc/sysconfig/iptables file is pretty standard/straightforward.

my question is:  how is this config file initially generated?  i'd  
like to
re-create it, and add a couple of rules .... so i don't want to lose  
what's
in there already.

i see that my /etc/sysconfig/system-config-securitylevel has three  
entries,
which explains how the port 80 and 22 rules get into the config:

	--enabled
	--port=22:tcp
	--port=80:tcp

... and i see the basic /etc/sysconfig/iptables-config file, but i'm  
unclear
as to how the rest of the stuff gets in there: e.g.:


	# Firewall configuration written by system-config-securitylevel
	# Manual customization of this file is not recommended.
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:RH-Firewall-1-INPUT - [0:0]
	-A INPUT -j RH-Firewall-1-INPUT
	-A FORWARD -j RH-Firewall-1-INPUT
	-A RH-Firewall-1-INPUT -i lo -j ACCEPT
	-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
	-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
	-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
	-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
	-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
	-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
	-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 - 
j ACCEPT
	-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 - 
j ACCEPT
	-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
	COMMIT

Tom Laramee wrote:
>
> Greetings:
>
> i have a pretty stock CentOS 5 machine with ports 80 and 22 exposed, so
> my /etc/sysconfig/iptables file is pretty standard/straightforward.
>
> my question is:  how is this config file initially generated?  i'd 
> like to
> re-create it, and add a couple of rules .... so i don't want to lose 
> what's
> in there already.
>
> i see that my /etc/sysconfig/system-config-securitylevel has three 
> entries,
> which explains how the port 80 and 22 rules get into the config:
>
>     --enabled
>     --port=22:tcp
>     --port=80:tcp
>
> ... and i see the basic /etc/sysconfig/iptables-config file, but i'm 
> unclear
> as to how the rest of the stuff gets in there: e.g.:
>
>
>     # Firewall configuration written by system-config-securitylevel
>     # Manual customization of this file is not recommended.
>     *filter
>     :INPUT ACCEPT [0:0]
>     :FORWARD ACCEPT [0:0]
>     :OUTPUT ACCEPT [0:0]
>     :RH-Firewall-1-INPUT - [0:0]
>     -A INPUT -j RH-Firewall-1-INPUT
>     -A FORWARD -j RH-Firewall-1-INPUT
>     -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>     -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>     -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>     -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>     -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>     -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
> 22 -j ACCEPT
>     -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 
> 80 -j ACCEPT
>     -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>     COMMIT
if you only want to add few simple rules, and if you know about iptables 
syntax, you can do something like
# iptables-save > iptables.tmp
edit the resulting files to adjust to your needs, then load it:
# iptables-restore < iptables.tmp
once you're happy, _backup_ /etc/sysconfig/iptables and do
# iptables-save > /etc/sysconfig/iptables


Alternatively, use one of the available scripts or tools to create your 
configuration.


In any case, be aware that a misconfiguration could result in blocking 
your own access. so better test on a machine not far from you.