Thank you.? I apologize for sending something that could be read.? There are
more examples in there that I had commented out.
Anyway,? here is my working iptables-save.? If someone could review my output
and let me know if I am missing anything and if the order of the rules are the
most secure they could be.
TIA.
Steve
# Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39
2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT
[8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING
ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun? 1 10:34:39 2018# Generated by
iptables-save v1.4.21 on Fri Jun? 1 10:34:39 2018*nat:PREROUTING ACCEPT
[3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING
ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri
Jun? 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39
2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
[7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j
ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0
-j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i
eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j
ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A
INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set
--match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i
eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on
Fri Jun? 1 10:34:39 2018~~
Steve
On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth at 5-cent.us <m.roth at
5-cent.us> wrote:
Steve Frazier wrote:>? Hello,?
> I hope that I can ask some questions on this mailing list about IPTables.
> I am more familiar with IPTABLES instead of FIREWALLD.? I disabled
> FIREWALLD and installed?iptables-services.
> I have put together a script that I found on the web on how to set up a
> good set of IPTABLES rules to keep my server as secure as possible.
<snip>
That's *extremely* hard to read, esp. given that the numbered commands
would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
? ? mark
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos
m.roth at 5-cent.us
2018-Jun-01 15:16 UTC
[CentOS] Centos 7 (using iptables) removed firewalld
Steve Frazier wrote:> Thank you.? I apologize for sending something that could be read.? There > are more examples in there that I had commented out. > Anyway,? here is my working iptables-save.? If someone could review my > output and let me know if I am missing anything and if the order of the > rules are the most secure they could be. > TIA. >Steve, Do you have any idea of what you're writing? Why are you emailing - this *is* an email list - with run-on lines? I mean, really, can you read what you sent, below? mark> Steve > > # Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39 > 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT > [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT > [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri > Jun? 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun? 1 > 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT > [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A > POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun? 1 10:34:39 > 2018# Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39 > 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT > [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i > lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s > mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A > INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i > eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0 > -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state > RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src > -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j > ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j > REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun? 1 > 10:34:39 2018~~ > > Steve > > > > > On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth at 5-cent.us > <m.roth at 5-cent.us> wrote: > > Steve Frazier wrote: >>? Hello,? >> I hope that I can ask some questions on this mailing list about >> IPTables. >> I am more familiar with IPTABLES instead of FIREWALLD.? I disabled >> FIREWALLD and installed?iptables-services. >> I have put together a script that I found on the web on how to set up a >> good set of IPTABLES rules to keep my server as secure as possible. > <snip> > That's *extremely* hard to read, esp. given that the numbered commands > would fail, as they don't seem to be comments. > > Could you run it, and then give us the o/p of iptables-save? > > ? ? mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
I left out the RTP for voip.? Here is my updated iptables-save
*mangle:PREROUTING ACCEPT [343:37719]:INPUT ACCEPT [238:19550]:FORWARD ACCEPT
[0:0]:OUTPUT ACCEPT [157:14766]:POSTROUTING ACCEPT [157:14766]COMMIT# Completed
on Fri Jun? 1 11:12:17 2018# Generated by iptables-save v1.4.21 on Fri Jun? 1
11:12:17 2018*nat:PREROUTING ACCEPT [114:20124]:INPUT ACCEPT [7:670]:OUTPUT
ACCEPT [13:1422]:POSTROUTING ACCEPT [0:0]-A POSTROUTING -o eth1 -j
MASQUERADECOMMIT# Completed on Fri Jun? 1 11:12:17 2018# Generated by
iptables-save v1.4.21 on Fri Jun? 1 11:12:17 2018*filter:INPUT DROP
[2:1285]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [157:14766]-A INPUT -m set
--match-set blacklist src -j DROP-A INPUT -i lo -j ACCEPT-A INPUT -s mypublicip1
-i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0 -j ACCEPT-A INPUT -s
mypublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A
INPUT -s myvoipprovider1-i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT
-s?myvoipprovider2?-i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -p udp
-m state --state NEW -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set
--match-set blacklist src -j DROP
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A
FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j REJECT
--reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun? 1 11:12:17
2018~
Thanks again.
On Friday, June 1, 2018, 11:05:10 AM EDT, Steve Frazier <sfrazier1111 at
yahoo.com> wrote:
Thank you.? I apologize for sending something that could be read.? There are
more examples in there that I had commented out.
Anyway,? here is my working iptables-save.? If someone could review my output
and let me know if I am missing anything and if the order of the rules are the
most secure they could be.
TIA.
Steve
# Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39
2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT
[8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [7093:2183351]:POSTROUTING
ACCEPT [7093:2183351]COMMIT# Completed on Fri Jun? 1 10:34:39 2018# Generated by
iptables-save v1.4.21 on Fri Jun? 1 10:34:39 2018*nat:PREROUTING ACCEPT
[3836:607509]:INPUT ACCEPT [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING
ACCEPT [40:19121]-A POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri
Jun? 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39
2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
[7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i lo -j
ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s mypublicip2 -i eth0
-j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A INPUT -s 192.168.20.0/23 -i
eth1 -j ACCEPT-A INPUT -s myipprovider1 -i eth0 -p udp -m udp --dport 5060 -j
ACCEPT-A INPUT -s myipprovider2 -i eth0 -p udp -m udp --dport 5060 -j ACCEPT-A
INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set
--match-set blacklist src -j DROP-A FORWARD -i eth1 -o eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i
eth1 -o eth1 -j REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on
Fri Jun? 1 10:34:39 2018~~
Steve
On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth at 5-cent.us <m.roth at
5-cent.us> wrote:
Steve Frazier wrote:>? Hello,?
> I hope that I can ask some questions on this mailing list about IPTables.
> I am more familiar with IPTABLES instead of FIREWALLD.? I disabled
> FIREWALLD and installed?iptables-services.
> I have put together a script that I found on the web on how to set up a
> good set of IPTABLES rules to keep my server as secure as possible.
<snip>
That's *extremely* hard to read, esp. given that the numbered commands
would fail, as they don't seem to be comments.
Could you run it, and then give us the o/p of iptables-save?
? ? mark
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos
I assumed this was a Centos 7 mailing list and I was looking for help with
IPTABLEs.I have used mailing lists before.? Copying a file to an email address
didn't have that type of output.? I apologize.
First of all is this a Centos 7 Mailing list that I can ask for help or have I
made a huge mistake?? IF so, should I just attach the file to the email.
I apologize for the output, I had no idea.? That's not the way it looked
when I sent it.
I am sorry.? I am just looking for some help with IPTABLES on Centos 7.
Please let me know and I won't send any more questions if I am not sending
to the right list for help and not the right way.
On Friday, June 1, 2018, 11:16:33 AM EDT, m.roth at 5-cent.us <m.roth at
5-cent.us> wrote:
Steve Frazier wrote:>? Thank you.? I apologize for sending something that could be read.? There
> are more examples in there that I had commented out.
> Anyway,? here is my working iptables-save.? If someone could review my
> output and let me know if I am missing anything and if the order of the
> rules are the most secure they could be.
> TIA.
>
Steve,
? Do you have any idea of what you're writing? Why are you emailing -
this *is* an email list - with run-on lines? I mean, really, can you
read what you sent, below?
? ? ? ? ? ? ? mark> Steve
>
> # Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39
> 2018*mangle:PREROUTING ACCEPT [12219:2602452]:INPUT ACCEPT
> [8766:2101480]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
> [7093:2183351]:POSTROUTING ACCEPT [7093:2183351]COMMIT# Completed on Fri
> Jun? 1 10:34:39 2018# Generated by iptables-save v1.4.21 on Fri Jun? 1
> 10:34:39 2018*nat:PREROUTING ACCEPT [3836:607509]:INPUT ACCEPT
> [130:21132]:OUTPUT ACCEPT [42:19744]:POSTROUTING ACCEPT [40:19121]-A
> POSTROUTING -o eth1 -j MASQUERADECOMMIT# Completed on Fri Jun? 1 10:34:39
> 2018# Generated by iptables-save v1.4.21 on Fri Jun? 1 10:34:39
> 2018*filter:INPUT DROP [253:85405]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
> [7093:2183351]-A INPUT -m set --match-set blacklist src -j DROP-A INPUT -i
> lo -j ACCEPT-A INPUT -s mypublicip1 -i eth0 -j ACCEPT-A INPUT -s
> mypublicip2 -i eth0 -j ACCEPT-A INPUT -s myublicip3 -i eth0 -j ACCEPT-A
> INPUT -s 192.168.20.0/23 -i eth1 -j ACCEPT-A INPUT -s myipprovider1 -i
> eth0 -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -s myipprovider2 -i eth0
> -p udp -m udp --dport 5060 -j ACCEPT-A INPUT -m state --state
> RELATED,ESTABLISHED -j ACCEPT-A FORWARD -m set --match-set blacklist src
> -j DROP-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j
> ACCEPT-A FORWARD -i eth0 -o eth1 -j ACCEPT-A FORWARD -i eth1 -o eth1 -j
> REJECT --reject-with icmp-port-unreachableCOMMIT# Completed on Fri Jun? 1
> 10:34:39 2018~~
>
> Steve
>
>
>
>
>? ? On Friday, June 1, 2018, 9:37:57 AM EDT, m.roth at 5-cent.us
> <m.roth at 5-cent.us> wrote:
>
>? Steve Frazier wrote:
>>? Hello,?
>> I hope that I can ask some questions on this mailing list about
>> IPTables.
>> I am more familiar with IPTABLES instead of FIREWALLD.? I disabled
>> FIREWALLD and installed?iptables-services.
>> I have put together a script that I found on the web on how to set up a
>> good set of IPTABLES rules to keep my server as secure as possible.
> <snip>
> That's *extremely* hard to read, esp. given that the numbered commands
> would fail, as they don't seem to be comments.
>
> Could you run it, and then give us the o/p of iptables-save?
>
> ? ? mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos
Apparently Analagous Threads
- Centos 7 (using iptables) removed firewalld
- Centos 7 (using iptables) removed firewalld
- Centos 7 (using iptables) removed firewalld
- [Bug 1324] New: with kernel 4.20.11 ip6table REDIRECT, process listening on redirected port does not get a packet
- fail2ban ban not working