Firewall Configuration in Linux in Centos 6.2
-
@StrongBad It is the diagram to show how the components(firewall) will be connected in a network
-
@Lakshmana said:
@StrongBad It is the diagram to show how the components(firewall) will be connected in a network
What is the purpose, though? You just open or close ports. Why would you use a diagram? I think that you are making something very easy into something very complicated.
-
Here is what a healthy configuration file looks like for CentOS 6. Just use this if what you state as your needs above is all that you need....
Just put this into /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
-
Then to make it take effect...
/etc/init.d/iptables restart
-
To be clear, this is the default. You would only need to do this if you've altered IPTables already. SSH (22) and ICMP (Ping) are open by default as soon as you install. So someone has broken your system if you need to do this.
-
@StrongBad said:
@Lakshmana said:
@StrongBad It is the diagram to show how the components(firewall) will be connected in a network
What is the purpose, though? You just open or close ports. Why would you use a diagram? I think that you are making something very easy into something very complicated.
Exactly. What is a block diagram? What is it's purpose? How does it prove to be useful to you or someone else? You want to "configure" a firewall, but every business is different. Their needs are different. You need to tell us what ports you need open, what you don't, even what is the purpose of the server, such as a web server or a jump server, etc. You've given us nothing in terms of info but want us to simply tell you how to do something that is not simple when you have no information.
-
There you go, SAM provided a complete configuration. If you apply that, it will completely overwrite anything that you have already. If you want to have us help you keep the server working as it does now but also do what you want, you have to work with us and not ask for block diagrams or other unrelated items. Only your IPTables listing matters. I have no idea what you are imagining that you will accomplish with diagrams, but they don't have a place here.
-
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
-
@Lakshmana said:
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
Whoa, that's very different than what you asked for. If you follow my directions you will blow away your ports and lose all of those services!!
-
@scottalanmiller Thank you Scott.I will try this tommorrow and say about this in detail.Do you have explanation for the above mentioned commands because I understood in less
-
This is why it is important to listen. @strongbad asked you for a copy of your existing configuration so that we could help you. Lacking that, providing what you asked for was the next best thing. But what you asked for would have completely broken the server.
Everyone is trying to help you. When they say that providing your existing IPTables file is necessary for us to help, they are not kidding. It's imperative. Anything else is very dangerous. IPTables is not hard to do, but it is very hard to do blindly.
-
@Lakshmana said:
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
Ok, I'm not angry, but I'm frustrated. What you just gave us was useful. However, we asked several times for the info and you kept not giving it to us. If it's a language barrier, I'm sorry but I was being as simple and plain as possible.
SNMP = 161
SMTP = 25 (unsecured), 465 (secured), 587 (secured)
POP3, = 110 (unsecured), 995 (secured)
IMAP = 143 (unsecured), 993 (secured)Unless you've blocked them in IPTables already, they should be open.
-
CentOS does have a tool for adding ports, but other than pointing you to the tool, it doesn't really let us help you. It's not terribly hard to use, but doing an IPTables edit allows us to completely make the change for you. One of the beauties of text configuration files is that we can completely do the fix, not just tell you where to look.
But if you want to try the TUI, here is the link...
system-config-firewall-tui
-
@scottalanmiller Ok Scott.I have not noted the things properly so only the confusion came here.Sorry to one and all
-
@thanksajdotcom said:
@Lakshmana said:
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
Ok, I'm not angry, but I'm frustrated. What you just gave us was useful. However, we asked several times for the info and you kept not giving it to us. If it's a language barrier, I'm sorry but I was being as simple and plain as possible.
SNMP = 161
SMTP = 25 (unsecured), 465 (secured), 587 (secured)
POP3, = 110 (unsecured), 995 (secured)
IMAP = 143 (unsecured), 993 (secured)Unless you've blocked them in IPTables already, they should be open.
They are all blocked by default. Only SSH and ICMP are open by default on CentOS. RHEL / CentOS is secure by default.
-
If you're SSHing into the box, run
cat /etc/sysconfig/iptables
Highlight the output in whatever client you're using to SSH, likely PuTTY, and paste it here. Please. We can't help you without that info.
-
Here is the only thing that I could find for a firewall block diagram. Definitely not useful for anyone working with firewalls.
-
@scottalanmiller said:
@thanksajdotcom said:
@Lakshmana said:
@thanksajdotcom Sorry dont get angry.The server is web server.SMTP,SNMP,POP3,IMAP needs tp be open
Ok, I'm not angry, but I'm frustrated. What you just gave us was useful. However, we asked several times for the info and you kept not giving it to us. If it's a language barrier, I'm sorry but I was being as simple and plain as possible.
SNMP = 161
SMTP = 25 (unsecured), 465 (secured), 587 (secured)
POP3, = 110 (unsecured), 995 (secured)
IMAP = 143 (unsecured), 993 (secured)Unless you've blocked them in IPTables already, they should be open.
They are all blocked by default. Only SSH and ICMP are open by default on CentOS. RHEL / CentOS is secure by default.
Ok, my mistake. Well, those are the ports. Given the info, I'd doubt they are using TLS or SSL, so probably 25 and 143. No reason to use POP3. Avoid it like the plague.
-
@thanksajdotcom OK AJ.Thank u.I will configure the things tommorow at my office,
-
Keep in mind order of the rules matters. a Reject before a Accept may render the Accept useless. However in some cases a reject before a accept can be needed.