Aug 10, 2011
tom

system-config-securitylevel and iptables show different rules

Question

I have set up some IPTables rules (on Centos) using netfilter from the command line.
SSH is allowed and FTP is not.
When I test this out it works fine.

But then if I connect to the gnome desktop and look at system -> administration -> Security Level and Firewall (which I think is the GUI for system-config-securitylevel) it shows the firewall enabled and none of the available services trusted including SSH.

I was expecting it to reflect the iptables rules I created.

This suggests to me that the IPTables and system-config-securitylevel rules are seperate and that the IPTables rules take precedence. However, the book and reading and the surfing I’ve done seems to suggest they are just two interfaces to the same firewall.

Can anyone clear this up for me.
Thanks in advance.
C

SSH is on th usual port 22, here’s my iptables rules:

Chain INPUT (policy DROP 1000 packets, 144K bytes)
 pkts bytes target     prot opt in     out     source               destination
 9024  900K fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
11393 1107K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
29519 3091K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
17465 1952K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 1287  735K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHEDChain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinationChain OUTPUT (policy ACCEPT 55448 packets, 37M bytes)
 pkts bytes target     prot opt in     out     source               destinationChain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
 8987  895K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

On the gnome desk top under system -> administration -> Security Level and Firewall
I have a window that shows the firewall enabled and a list of services that I can tick to be trusted:
FTP, Mail, NS4, SSH, samba, HTTPS, HTTP, telnet
None appear ticked despite the above IPtables rules.

Answer

For starters is ssh running on a custom port?

Secondly, can you post a copy of your iptables ruleset, and a description of the gui interfaces set.

to list iptables:

iptables -L -n -v


Update:

It looks to be a number of things, one is the addition of fail2ban. Not to mention that system-config-securitylevel configures the firewall in a very specific way, anything outside of this exact setup is going to cause it to not recognize those services since it’s not configured the same way. That’s the reason for the difference, and to be expected.

What is listed in iptables are the rules that are in effect. Regardless of what system-config-securitylevel states, iptables -L will always show the existing and active ruleset.

Related posts:

  1. Iptables Hangs when listing rules
  2. Why do these 3 rules cause problems for me in iptables? (COMMIT line error)
  3. adding iptables rules for a user after authenticating himself
  4. iptables – rules missing
  5. Problem with sendmail combined with iptables

Leave a comment