Re: [CentOS] Inquiry:iptables ?

[Rob Kampen]

ken wrote:

On 11/02/2009 09:36 AM Rob Kampen wrote:
  

ken wrote:


On 10/31/2009 04:10 AM Tony Molloy wrote:
 
  

On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
   


Dear All
To open a port , I know that I need to go to "System ->
Administration ->
Security Level and Firewall" -> Other ports and then I can open
port-5901
as tcp protocol . Can you please do me favor and let me know how it
can be
done from the command line (if my CentOS is text-mode installed) ?
(perhaps
via iptables?)
Let me thank you in advance
  
  

Edit /etc/sysconfig/iptables

Restart iptables with service iptables restart

Tony



My /etc/sysconfig/iptables states at the top that editing of it is not
recommended.  Yeah, I don't always follow such recommendations myself,
but is there perhaps another way more in keeping with the sense of the
application?

  

Yeah, editing directly can be risky, nothing worse than making a change
only to find that access to your server just disappeared and you need to
get in front of it to reset via the console
I use webmin for most of my edits, only make it accessible from the LAN
and not the WAN. You can always tunnel the :1 port via ssh and
access securely from a remote location.
The webmin console is left open while I test, thus I have not yet
tripped up on this though I can imagine it is not fool proof.
HTH
Rob



Rob,

Sounds like you've thought through the process and have a well-planned
strategy for failure-prevention.  Cool.

I checked my port 1 (ssh -p 1 ...) and found it not available
("Connection refused").  So in what sense, or how, can I always tunnel it?

tnx.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
  
Ken, I first setup webmin on the server - this listens on port 1 by 
default (https).

Then from a remote location I can
ssh servername -L 8081:localhost:1
This will capture local port 8081 and tunnel to the remote server port 
1.

Then with firefox I enter https://localhost:8081/
and I get the remote server's webmin.
HTH
Rob
<>___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[Negative]

On Mon, Nov 2, 2009 at 10:57 AM, ken  wrote:

> On 11/02/2009 09:36 AM Rob Kampen wrote:
> > ken wrote:
> >> On 10/31/2009 04:10 AM Tony Molloy wrote:
> >>
> >>> On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
> >>>
>  Dear All
>  To open a port , I know that I need to go to "System ->
>  Administration ->
>  Security Level and Firewall" -> Other ports and then I can open
>  port-5901
>  as tcp protocol . Can you please do me favor and let me know how it
>  can be
>  done from the command line (if my CentOS is text-mode installed) ?
>  (perhaps
>  via iptables?)
>  Let me thank you in advance
> 
> >>> Edit /etc/sysconfig/iptables
> >>>
> >>> Restart iptables with service iptables restart
> >>>
> >>> Tony
> >>>
> >>
> >> My /etc/sysconfig/iptables states at the top that editing of it is not
> >> recommended.  Yeah, I don't always follow such recommendations myself,
> >> but is there perhaps another way more in keeping with the sense of the
> >> application?
> >>
> > Yeah, editing directly can be risky, nothing worse than making a change
> > only to find that access to your server just disappeared and you need to
> > get in front of it to reset via the console
> > I use webmin for most of my edits, only make it accessible from the LAN
> > and not the WAN. You can always tunnel the :1 port via ssh and
> > access securely from a remote location.
> > The webmin console is left open while I test, thus I have not yet
> > tripped up on this though I can imagine it is not fool proof.
> > HTH
> > Rob
>
> Rob,
>
> Sounds like you've thought through the process and have a well-planned
> strategy for failure-prevention.  Cool.
>
> I checked my port 1 (ssh -p 1 ...) and found it not available
> ("Connection refused").  So in what sense, or how, can I always tunnel it?
>
> tnx.
>

 You can use iptables to insert and delete rules in the running instance,
and after testing you can save the new set up.

The syntax is:

iptables -I  $TABLE_NAME $POS -s $SRC_IPS -m state --state NEW -p tcp
--dport 5901 -j ACCEPT

The default TABLE_NAME is "RH-Firewall-1-INPUT" for CentOS

You can figure out the POS you want by running

iptables -L
which dumps the rules on the screen

The SRC_IPS are the machine(s) you want to grant access to.

If you mess up, you can just restart iptables and you'll be back to where
you were. These changes are not permanent. If you're working remotely, you
can set up a cron job to restart iptables at some sensible interval so you
won't be locked out until you have physical access to the machine.

Once you're satisfied the new rules are working right, you can use the
iptables script in /etc/init.d to save the new config.  And don't forget to
get rid of the cron job above.

Take a look at iptables-restore and iptables-save, too.

Barry
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[ken]

On 11/02/2009 09:36 AM Rob Kampen wrote:
> ken wrote:
>> On 10/31/2009 04:10 AM Tony Molloy wrote:
>>  
>>> On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
>>>
 Dear All
 To open a port , I know that I need to go to "System ->
 Administration ->
 Security Level and Firewall" -> Other ports and then I can open
 port-5901
 as tcp protocol . Can you please do me favor and let me know how it
 can be
 done from the command line (if my CentOS is text-mode installed) ?
 (perhaps
 via iptables?)
 Let me thank you in advance
   
>>> Edit /etc/sysconfig/iptables
>>>
>>> Restart iptables with service iptables restart
>>>
>>> Tony
>>> 
>>
>> My /etc/sysconfig/iptables states at the top that editing of it is not
>> recommended.  Yeah, I don't always follow such recommendations myself,
>> but is there perhaps another way more in keeping with the sense of the
>> application?
>>
> Yeah, editing directly can be risky, nothing worse than making a change
> only to find that access to your server just disappeared and you need to
> get in front of it to reset via the console
> I use webmin for most of my edits, only make it accessible from the LAN
> and not the WAN. You can always tunnel the :1 port via ssh and
> access securely from a remote location.
> The webmin console is left open while I test, thus I have not yet
> tripped up on this though I can imagine it is not fool proof.
> HTH
> Rob

Rob,

Sounds like you've thought through the process and have a well-planned
strategy for failure-prevention.  Cool.

I checked my port 1 (ssh -p 1 ...) and found it not available
("Connection refused").  So in what sense, or how, can I always tunnel it?

tnx.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[Rob Kampen]

ken wrote:

On 10/31/2009 04:10 AM Tony Molloy wrote:
  

On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:


Dear All
To open a port , I know that I need to go to "System -> Administration ->
Security Level and Firewall" -> Other ports and then I can open port-5901
as tcp protocol . Can you please do me favor and let me know how it can be
done from the command line (if my CentOS is text-mode installed) ? (perhaps
via iptables?)
Let me thank you in advance
  

Edit /etc/sysconfig/iptables

Restart iptables with service iptables restart

Tony



My /etc/sysconfig/iptables states at the top that editing of it is not
recommended.  Yeah, I don't always follow such recommendations myself,
but is there perhaps another way more in keeping with the sense of the
application?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
  
Yeah, editing directly can be risky, nothing worse than making a change 
only to find that access to your server just disappeared and you need to 
get in front of it to reset via the console
I use webmin for most of my edits, only make it accessible from the LAN 
and not the WAN. You can always tunnel the :1 port via ssh and 
access securely from a remote location.
The webmin console is left open while I test, thus I have not yet 
tripped up on this though I can imagine it is not fool proof.

HTH
Rob
<>___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[ken]

On 10/31/2009 04:10 AM Tony Molloy wrote:
> On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
>> Dear All
>> To open a port , I know that I need to go to "System -> Administration ->
>> Security Level and Firewall" -> Other ports and then I can open port-5901
>> as tcp protocol . Can you please do me favor and let me know how it can be
>> done from the command line (if my CentOS is text-mode installed) ? (perhaps
>> via iptables?)
>> Let me thank you in advance
> 
> 
> Edit /etc/sysconfig/iptables
> 
> Restart iptables with service iptables restart
> 
> Tony

My /etc/sysconfig/iptables states at the top that editing of it is not
recommended.  Yeah, I don't always follow such recommendations myself,
but is there perhaps another way more in keeping with the sense of the
application?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[Christoph Maser]

Am Samstag, den 31.10.2009, 08:48 +0100 schrieb hadi motamedi:
> Dear All
> To open a port , I know that I need to go to "System -> Administration
> -> Security Level and Firewall" -> Other ports and then I can open
> port-5901 as tcp protocol . Can you please do me favor and let me know
> how it can be done from the command line (if my CentOS is text-mode
> installed) ? (perhaps via iptables?)
> Let me thank you in advance
>

system-config-securitylevel-tui -q -p $port:$proto

eg for HTTP

system-config-securitylevel-tui -q -p 80:tcp


financial.com AG

Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | 
Germany
Frankfurt branch office/Niederlassung Frankfurt: Messeturm | 
Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany
Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. 
Yann Samson | Matthias Wiederwach
Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender)
Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID 
number/St.Nr.: DE205 370 553
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[mark]

hadi motamedi wrote:
> Thanks for your message . Please be informed that iptables is being
> installed :
> #rpm -qa|grep iptables
> iptables-1.3.5-1.2.1
> iptables-ipv6-1.3.5-1.2.1
> Please be informed that on the System -> Administration -> Security Level
> and Firewall , I can try to add the port but there is no
> /etc/sysconfig/iptables on my CentOS server . Can you please let me know
> what is wrong my case ?

Get out of the gui. Open a shell window. Edit the file in your favorite text 
editor.

mark
-- 
And no, AFAIK, Perl doesn't have spherical trig functions
built in, but it has lots of room for masochism. - Andy Peed
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[hadi motamedi]

Thanks for your message . Please be informed that iptables is being
installed :
#rpm -qa|grep iptables
iptables-1.3.5-1.2.1
iptables-ipv6-1.3.5-1.2.1
Please be informed that on the System -> Administration -> Security Level
and Firewall , I can try to add the port but there is no
/etc/sysconfig/iptables on my CentOS server . Can you please let me know
what is wrong my case ?
Thank you in advance



On Sat, Oct 31, 2009 at 8:34 AM, Tony Molloy  wrote:

> On Saturday 31 October 2009 08:27:49 hadi motamedi wrote:
> > Thank you for your reply . But it is returned "No such file" for
> > /etc/sysconfig/iptables . Can you please correct me ?
> > Thank you in advance
> >
>
> Is iptables installed
>
> rpm -qa | grep iptables
>
> Tony
> > On Sat, Oct 31, 2009 at 8:10 AM, Tony Molloy  wrote:
> > >  On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
> > > > Dear All
> > > > To open a port , I know that I need to go to "System ->
> Administration
> > > > -> Security Level and Firewall" -> Other ports and then I can open
> > > > port-5901 as tcp protocol . Can you please do me favor and let me
> know
> > > > how it can
> > >
> > > be
> > >
> > > > done from the command line (if my CentOS is text-mode installed) ?
> > >
> > > (perhaps
> > >
> > > > via iptables?)
> > > > Let me thank you in advance
> > >
> > > Edit /etc/sysconfig/iptables
> > >
> > > Restart iptables with service iptables restart
> > >
> > > Tony
> > > --
> > >
> > > Dept. of Comp. Sci.
> > > University of Limerick.
> > >  ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
>
>
>
> --
>
> Dept. of Comp. Sci.
> University of Limerick.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[Tony Molloy]

On Saturday 31 October 2009 08:27:49 hadi motamedi wrote:
> Thank you for your reply . But it is returned "No such file" for
> /etc/sysconfig/iptables . Can you please correct me ?
> Thank you in advance
>

Is iptables installed

rpm -qa | grep iptables

Tony
> On Sat, Oct 31, 2009 at 8:10 AM, Tony Molloy  wrote:
> >  On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
> > > Dear All
> > > To open a port , I know that I need to go to "System -> Administration
> > > -> Security Level and Firewall" -> Other ports and then I can open
> > > port-5901 as tcp protocol . Can you please do me favor and let me know
> > > how it can
> >
> > be
> >
> > > done from the command line (if my CentOS is text-mode installed) ?
> >
> > (perhaps
> >
> > > via iptables?)
> > > Let me thank you in advance
> >
> > Edit /etc/sysconfig/iptables
> >
> > Restart iptables with service iptables restart
> >
> > Tony
> > --
> >
> > Dept. of Comp. Sci.
> > University of Limerick.
> >  ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos



-- 

Dept. of Comp. Sci.
University of Limerick.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[John R Pierce]

hadi motamedi wrote:
> Thank you for your reply . But it is returned "No such file" for 
> /etc/sysconfig/iptables . Can you please correct me ?

if fthat file doesn't exist, you're probably not running the dfeault 
centos firewall scripts, you may well have some other firewall script on 
there, or none at all.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[hadi motamedi]

Thank you for your reply . But it is returned "No such file" for
/etc/sysconfig/iptables . Can you please correct me ?
Thank you in advance



On Sat, Oct 31, 2009 at 8:10 AM, Tony Molloy  wrote:

>  On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
> > Dear All
> > To open a port , I know that I need to go to "System -> Administration ->
> > Security Level and Firewall" -> Other ports and then I can open port-5901
> > as tcp protocol . Can you please do me favor and let me know how it can
> be
> > done from the command line (if my CentOS is text-mode installed) ?
> (perhaps
> > via iptables?)
> > Let me thank you in advance
>
>
> Edit /etc/sysconfig/iptables
>
> Restart iptables with service iptables restart
>
> Tony
> --
>
> Dept. of Comp. Sci.
> University of Limerick.
>  ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[John R Pierce]

hadi motamedi wrote:
> Dear All
> To open a port , I know that I need to go to "System -> Administration 
> -> Security Level and Firewall" -> Other ports and then I can open 
> port-5901 as tcp protocol . Can you please do me favor and let me know 
> how it can be done from the command line (if my CentOS is text-mode 
> installed) ? (perhaps via iptables?)

older versions of RHEL had a lokkit text menu based util for setting 
basic firewall ports. I dunno but it may still be available in current 
versions.  all it actually does is edit that sysconfig/iptables  file 
and restart the iptables service that tony mentions, same as the GUI 
program does.

also, you could make a backup of that file  on a GUI system, add a port, 
then diff the backup and the current iptables file to see exactly what 
the GUI does


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Inquiry:iptables ?

[Tony Molloy]

On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
> Dear All
> To open a port , I know that I need to go to "System -> Administration ->
> Security Level and Firewall" -> Other ports and then I can open port-5901
> as tcp protocol . Can you please do me favor and let me know how it can be
> done from the command line (if my CentOS is text-mode installed) ? (perhaps
> via iptables?)
> Let me thank you in advance


Edit /etc/sysconfig/iptables

Restart iptables with service iptables restart

Tony
-- 

Dept. of Comp. Sci.
University of Limerick.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos