Hi, I would like to get some inputs on how to configure iptables. I have referred to CentOS wiki http://wiki.centos.org/HowTos/Network/IPTables and it has been very helpful. I have configured iptables with the help of this tutorial, but I haven't understood few things about default firewall config. - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a predefined chain, although not mentioned in wiki. - The wiki page approach is to flush existing rules and then add required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules). Any explanation or resource link on this would be really helpful. Thanks, CS.
Carlos Santana wrote:> Hi, > > I would like to get some inputs on how to configure iptables. I have > referred to CentOS wiki http://wiki.centos.org/HowTos/Network/IPTables > and it has been very helpful. I have configured iptables with the help > of this tutorial, but I haven't understood few things about default > firewall config. > > - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a > predefined chain, although not mentioned in wiki. > - The wiki page approach is to flush existing rules and then add > required rules to iptables. Is it possible to add/append required > rules without flushing existing set of rules? Not sure, but I think > this is where 'RH-Firewall-1-INPUT' chain comes into picture (user > defined rules). > > Any explanation or resource link on this would be really helpful. > >Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward.> Thanks, > CS. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 196 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20100118/2a841adc/attachment-0001.vcf>
Rob Kampen wrote:> Carlos Santana wrote: >> - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a >> predefined chain, although not mentioned in wiki. >> - The wiki page approach is to flush existing rules and then add >> required rules to iptables. Is it possible to add/append required >> rules without flushing existing set of rules? Not sure, but I think >> this is where 'RH-Firewall-1-INPUT' chain comes into picture (user >> defined rules). >> >> Any explanation or resource link on this would be really helpful. >> >> > Try using webmin - there are rpm available for it and the interface > helps deal with the cryptic items that make up an iptable filter. > The reason for the RH-Firewall-1-INPUT chain means you can use the > same rule set for multiple items - i.e. both input and forward.I also find it useful to create different chains for different network traffic. For example, I have a chain that allows all web access - ports 80, 443, 8080 etc. I have a different chain for file-share access - e.g. NFS and Samba. This way, I can watch what is happening with those chains specifically, without wading through the significant output of the command "iptables -nvL". By using different chains, I can issue a command like "watch -d iptables -nvL CentOS-MAIL" to monitor network traffic on related ports. This has helped me many times in the past to see where network traffic is being blocked or given access. Just my 2c worth :) Ian
Carlos Santana wrote on Mon, 18 Jan 2010 17:54:51 -0600:> - The wiki page approach is to flush existing rules and then add > required rules to iptables. Is it possible to add/append required > rules without flushing existing set of rulesYou can add rules on-the-fly at runtime and then use service iptables save to save them. This will be automatically loaded on a service iptables start. But it's harder to maintain as a script of your own. I prefer to write a script, run it (which includes flushing etc.) and when it's ok I save that result. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com