 www.centos.org Forum Index CentOS 6 - Security Support  iptables: RH-Firewall-1-INPUT vs. INPUT, and the wiki
|
 Bottom  Previous Topic  Next Topic |
|
|
|
|
|---|
Topic options
Threaded
Newest First| Poster | Thread |
|---|
|
iptables: RH-Firewall-1-INPUT vs. INPUT, and the wiki | #1 |
|
|---|---|---|---|
|
Newbie
 
Joined: 2012/3/26
From
Posts: 4
|
Hello,
I feel like I have started to grasp of the basics of iptables through experiment/logging and reading. I got my start at the CentOS iptables wiki. But one thing still puzzles me that I haven't been able to google up a clear answer on: Why is the chain "RH-Firewall" used in some cases I've read (like the Samba HowTo , but not others? For example, in the hardening CentOS wiki there is the following code (I've pared it down a bit): Some specific parts that confuse me about this: :RH-Firewall-1-INPUT - [0:0] ~ Seems to be defining a chain, but with no default (a "-")? -A INPUT -j RH-Firewall-1-INPUT ~ Seems to forward INPUT packets to the RH-Firewall chain, but then rules are defined later for -A INPUT? All of my experimentation and iptables rules have been absent of any RH-Firewall, using just INPUT, FORWARD, and OUTPUT chains. Is there a reason to use it? Where does it come from/Why does it crop up so often? I'm running CentOS 6.2 and iptables v1.4.7. Thanks for any responses to these basic questions. Linux is fun! |
||
Posted on: 2012/3/29 19:41
  |
 |
||
mdfx
|
Re: iptables: RH-Firewall-1-INPUT vs. INPUT, and the wiki | #2 |
|
|---|---|---|---|
|
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6352
|
RH changed the chain name between CentOS 5 and 6. In CentOS 5 the default iptables ruleset contains an INPUT chain that just jumps to a second chain that RH called RH-Firewall-1-INPUT and contained their rules. In CentOS 6 they abolished RH-Firewall-1-INPUT and all the rules are in the INPUT chain.
I prefer the CentOS 6 version - it's less complicated and easier to type  |
||
|
_________________
Linux/VoIP Systems Administrator |
|||
Posted on: 2012/3/29 20:16
|
|
||
|
Re: iptables: RH-Firewall-1-INPUT vs. INPUT, and the wiki | #3 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2007/12/11
From Finland
Posts: 1329
|
The reasoning for the akward named chain may partially have been in this:
1. You have one set (chain) of rules that you reuse in more than one situation. 2. It is clear by chain name, whose ruleset it is (until player adds more). 3. Packages might inject their rules and they had very peculiarly named target chain. User actions render 2 ineffective, more clever packages live without 3, and FORWARD and INPUT do not really share same set of rules, so even 1 has limited value. However, user defined chains are a very good thing. Reuse is good too. When you have many rules with similar conditions it is better to use their common condition to shovel all potential packets to separate chain and check the differing conditions there. All the other packets will then skip those many rules by failing the first test. For example, tcp and udp could have separate chains with rules of their own. |
||
Posted on: 2012/3/29 21:27
|
|
||
|
Re: iptables: RH-Firewall-1-INPUT vs. INPUT, and the wiki | #4 |
|
|---|---|---|---|
|
Newbie
Joined: 2012/3/26
From
Posts: 4
|
Quote:
This answers much of my confusion on the matter. Thank you. Quote:
This is good food for thought when constructing my rules. I've yet to implement any custom chains. Thanks |
||
Posted on: 2012/3/29 22:19
|
|
||
 Top Previous Topic Next Topic |
 |
|
You cannot start a new topic.
You can view topic.