system-config-securitylevel: Generates a Set of Rules

`system-config-securitylevel`: Generates a Set of Rules

This section describes the set of rules generated by system-config-securitylevel (page 768) when you ask it to create a firewall with only ssh running as a trusted service and no other ports specified. The system-config-securitylevel utility writes the rules in the format used by iptables-save (see the preceding section) to the /etc/sysconfig/iptables file, which is read by the iptables init script so that the firewall is implemented each time the system boots. See the tip on page 769 about disabling the firewall using this utility.

In the following listing, *filter indicates that the commands appearing after it work on the Filter table. The first line that begins with a colon specifies that the policy for the INPUT chain in the Filter table is ACCEPT. FORWARD and OUTPUT chains are specified similarly. Because the counters for all the chains are zero, the counters will be reset to zero each time the system boots and initializes iptables from this file.

The system-config-securitylevel utility creates a user-defined chain named RH-Firewall-1-INPUT. No policy is specified because user-defined chains cannot have policies.

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

The first two lines that begin with A add rules to the INPUT and FORWARD chains that cause control to transfer to the RH-Firewall-1-INPUT chain. The subsequent lines append rules to the RH-Firewall-1-INPUT chain. Following is a description of what the rest of the lines do.

This line accepts packets from the local interface:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

This line accepts all ICMP packets:

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

These lines accept packets that match protocols 50 and 51, which /etc/protocols lists as IPv6-Crypt and IPv6-Auth, both encryption headers for IPv6:

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

The next line accepts multicast DNS (www.multicastdns.org) packets:

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

These lines allow IPP (page 504) UDP and TCP packets through:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

This line uses m to specify the state module and accepts ESTABLISHED and RELATED packets:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This line allows TCP packets through on port 22 (ssh):

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

This line rejects all packets that have not been accepted and returns ICMP error icmp-host-prohibited to the system that sent the packet:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT executes the preceding commands. With the preceding rules loaded, you can use iptables to list the rules and see the defaults that iptables puts in place:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT    all  --  anywhere            anywhere           reject-with icmp-host-prohibited

Building a Set of Rules

Sharing an Internet Connection Using NAT