I have set up some IPTables rules (on Centos) using netfilter from the command line.
SSH is allowed and FTP is not.
When I test this out it works fine.
But then if I connect to the gnome desktop and look at system -> administration -> Security Level and Firewall (which I think is the GUI for system-config-securitylevel) it shows the firewall enabled and none of the available services trusted including SSH.
I was expecting it to reflect the iptables rules I created.
This suggests to me that the IPTables and system-config-securitylevel rules are seperate and that the IPTables rules take precedence. However, the book and reading and the surfing I’ve done seems to suggest they are just two interfaces to the same firewall.
Can anyone clear this up for me.
Thanks in advance.
SSH is on th usual port 22, here’s my iptables rules:
Chain INPUT (policy DROP 1000 packets, 144K bytes) pkts bytes target prot opt in out source destination 9024 900K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 11393 1107K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 29519 3091K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 17465 1952K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1287 735K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDChain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 55448 packets, 37M bytes) pkts bytes target prot opt in out source destinationChain fail2ban-SSH (1 references) pkts bytes target prot opt in out source destination 8987 895K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
On the gnome desk top under system -> administration -> Security Level and Firewall
I have a window that shows the firewall enabled and a list of services that I can tick to be trusted:
FTP, Mail, NS4, SSH, samba, HTTPS, HTTP, telnet
None appear ticked despite the above IPtables rules.
For starters is ssh running on a custom port?
Secondly, can you post a copy of your iptables ruleset, and a description of the gui interfaces set.
to list iptables:
iptables -L -n -v
It looks to be a number of things, one is the addition of fail2ban. Not to mention that system-config-securitylevel configures the firewall in a very specific way, anything outside of this exact setup is going to cause it to not recognize those services since it’s not configured the same way. That’s the reason for the difference, and to be expected.
What is listed in iptables are the rules that are in effect. Regardless of what system-config-securitylevel states, iptables -L will always show the existing and active ruleset.
Leave a comment
- Is there a way for administrators to disable users from installing Firefox extensions?
- Is there research material on NTP accuracy available?
- How to create a limited “domain admin” that does not have access to domain controllers?
- Can Windows RDC admin users be immune from being kicked?
- Domain Administrators account policy (After PCI audit)