[H-GEN] IP Tables Question

Robert Brockway robert at timetraveller.org
Sat Sep 22 01:12:59 EDT 2007 

On Tue, 11 Sep 2007, Andrew Pullin wrote:

> Can I do something simple like a search and replace of my new IP Address 
> range for the old IP address range in the IP Tables config file, or do I 
> need to rebuild the file from some tool or some other convoluted method.

Hi Andrew.  No special tool is needed.  The firewalling system in question 
is actually called Netfilter.  iptables is a comment line tool to 
interface to Netfilter (I'm not being pedantic, this distinction will help 
in understanding the situation).

Netfilter consists of code and data structures in the kernel designed to 
do lots of interesting stuff with network traffic - it makes a great 
firewall as we all know.

iptables is just a command line tool which lets you get output on how 
these data structures are currently configured in the kernel and also 
allows you to change them.  Thus no tool is need to alter the firewall 
config except good ol' /sbin/iptables.

Your box is most likely setup with a bunch of iptables commands in a 
flat file somewhere in the startup scripts.

To make your changes first identify that file (from the sounds of it you 
know where it is already).  Back it up and then edit it with your 
favourity editor (or do a search and replace as you suggest).

Reload the firewall and check that everything is still working.

> hosts.allow
> sshd : my subnet range (locked down from outside after a successful brute 
> force penetration)
> sshd : 192.168.0.0/255.255.255.0

If you never ssh in to the box from outside then you may want to block ssh 
from outside at the firewall rather than just using hosts.allow (which is 
read by both TCP Wrappers and sshd itself).  I allow ssh from outside with 
PKI authentication and a strong passphrase - this essentially removes the 
possibility of a brute force attack (although a vulnerability within ssh 
itself could still allow for a break in).

> in.telnetd : ALL (bacup only - never used but always monitored)

Security best practice suggests only allowing access if it is needed.  I'd 
close this off and consider the console the backup to ssh.

> iptables v1.2.7a
>
> iptables -L
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere

To get a good idea we're really going to need to see "iptables -L -v" 
since this will list the interfaces set within the rules.

Note: some people don't like posting their firewall rules to a public 
list.  I'll leave it up to you to decide if you want to post the output of 
"iptables -L -v" to the list.

> I haven't got a clue what all that IP Tables stuff means, but it works (hence 
> my problem and questions). BTW where is this info or the config file stored?

Which distro are you using?

> I had a quick look in etc, but it wasn't immediatly recognisable, but I may 
> have missed it.

This command may help:

grep -r iptables /etc

Cheers,

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"

More information about the General mailing list