Skip to main content
@soar
  1. Posts/

Hello, FirewallD

·888 words·5 mins· loading · loading ·
Sysadmin Firewall Imho Linux

I remember how a friend of mine complained that Linux was becoming increasingly bloated. After logging into a freshly installed Jessie and checking the mount output, he was surprised. That sparked a debate between us: do we really need cgroups enabled by default, or is it just unnecessary complexity?

But today I’ve got fresh Centos 7 and this is how the default iptables output looks like:

  1$ sudo iptables-save
  2# Generated by iptables-save v1.4.21 on Fri Aug  5 12:05:21 2016
  3*nat
  4:PREROUTING ACCEPT [3547:297034]
  5:INPUT ACCEPT [2113:188970]
  6:OUTPUT ACCEPT [339:25691]
  7:POSTROUTING ACCEPT [339:25691]
  8:OUTPUT_direct - [0:0]
  9:POSTROUTING_ZONES - [0:0]
 10:POSTROUTING_ZONES_SOURCE - [0:0]
 11:POSTROUTING_direct - [0:0]
 12:POST_public - [0:0]
 13:POST_public_allow - [0:0]
 14:POST_public_deny - [0:0]
 15:POST_public_log - [0:0]
 16:POST_trusted - [0:0]
 17:POST_trusted_allow - [0:0]
 18:POST_trusted_deny - [0:0]
 19:POST_trusted_log - [0:0]
 20:PREROUTING_ZONES - [0:0]
 21:PREROUTING_ZONES_SOURCE - [0:0]
 22:PREROUTING_direct - [0:0]
 23:PRE_public - [0:0]
 24:PRE_public_allow - [0:0]
 25:PRE_public_deny - [0:0]
 26:PRE_public_log - [0:0]
 27:PRE_trusted - [0:0]
 28:PRE_trusted_allow - [0:0]
 29:PRE_trusted_deny - [0:0]
 30:PRE_trusted_log - [0:0]
 31-A PREROUTING -j PREROUTING_direct
 32-A PREROUTING -j PREROUTING_ZONES_SOURCE
 33-A PREROUTING -j PREROUTING_ZONES
 34-A OUTPUT -j OUTPUT_direct
 35-A POSTROUTING -j POSTROUTING_direct
 36-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
 37-A POSTROUTING -j POSTROUTING_ZONES
 38-A POSTROUTING_ZONES -o enp7s0f1 -g POST_public
 39-A POSTROUTING_ZONES -o enp6s0f0 -j POST_trusted
 40-A POSTROUTING_ZONES -g POST_public
 41-A POST_public -j POST_public_log
 42-A POST_public -j POST_public_deny
 43-A POST_public -j POST_public_allow
 44-A POST_trusted -j POST_trusted_log
 45-A POST_trusted -j POST_trusted_deny
 46-A POST_trusted -j POST_trusted_allow
 47-A PREROUTING_ZONES -i enp7s0f1 -g PRE_public
 48-A PREROUTING_ZONES -i enp6s0f0 -j PRE_trusted
 49-A PREROUTING_ZONES -g PRE_public
 50-A PRE_public -j PRE_public_log
 51-A PRE_public -j PRE_public_deny
 52-A PRE_public -j PRE_public_allow
 53-A PRE_trusted -j PRE_trusted_log
 54-A PRE_trusted -j PRE_trusted_deny
 55-A PRE_trusted -j PRE_trusted_allow
 56COMMIT
 57# Completed on Fri Aug  5 12:05:21 2016
 58# Generated by iptables-save v1.4.21 on Fri Aug  5 12:05:21 2016
 59*mangle
 60:PREROUTING ACCEPT [2162375:2383841899]
 61:INPUT ACCEPT [2161527:2383784543]
 62:FORWARD ACCEPT [0:0]
 63:OUTPUT ACCEPT [1919622:2207769002]
 64:POSTROUTING ACCEPT [1919622:2207769002]
 65:FORWARD_direct - [0:0]
 66:INPUT_direct - [0:0]
 67:OUTPUT_direct - [0:0]
 68:POSTROUTING_direct - [0:0]
 69:PREROUTING_ZONES - [0:0]
 70:PREROUTING_ZONES_SOURCE - [0:0]
 71:PREROUTING_direct - [0:0]
 72:PRE_public - [0:0]
 73:PRE_public_allow - [0:0]
 74:PRE_public_deny - [0:0]
 75:PRE_public_log - [0:0]
 76:PRE_trusted - [0:0]
 77:PRE_trusted_allow - [0:0]
 78:PRE_trusted_deny - [0:0]
 79:PRE_trusted_log - [0:0]
 80-A PREROUTING -j PREROUTING_direct
 81-A PREROUTING -j PREROUTING_ZONES_SOURCE
 82-A PREROUTING -j PREROUTING_ZONES
 83-A INPUT -j INPUT_direct
 84-A FORWARD -j FORWARD_direct
 85-A OUTPUT -j OUTPUT_direct
 86-A POSTROUTING -j POSTROUTING_direct
 87-A PREROUTING_ZONES -i enp7s0f1 -g PRE_public
 88-A PREROUTING_ZONES -i enp6s0f0 -j PRE_trusted
 89-A PREROUTING_ZONES -g PRE_public
 90-A PRE_public -j PRE_public_log
 91-A PRE_public -j PRE_public_deny
 92-A PRE_public -j PRE_public_allow
 93-A PRE_trusted -j PRE_trusted_log
 94-A PRE_trusted -j PRE_trusted_deny
 95-A PRE_trusted -j PRE_trusted_allow
 96COMMIT
 97# Completed on Fri Aug  5 12:05:21 2016
 98# Generated by iptables-save v1.4.21 on Fri Aug  5 12:05:21 2016
 99*security
100:INPUT ACCEPT [2160946:2383734035]
101:FORWARD ACCEPT [0:0]
102:OUTPUT ACCEPT [1919632:2207771386]
103:FORWARD_direct - [0:0]
104:INPUT_direct - [0:0]
105:OUTPUT_direct - [0:0]
106-A INPUT -j INPUT_direct
107-A FORWARD -j FORWARD_direct
108-A OUTPUT -j OUTPUT_direct
109COMMIT
110# Completed on Fri Aug  5 12:05:21 2016
111# Generated by iptables-save v1.4.21 on Fri Aug  5 12:05:21 2016
112*raw
113:PREROUTING ACCEPT [2162382:2383842179]
114:OUTPUT ACCEPT [1919636:2207772110]
115:OUTPUT_direct - [0:0]
116:PREROUTING_direct - [0:0]
117-A PREROUTING -j PREROUTING_direct
118-A OUTPUT -j OUTPUT_direct
119COMMIT
120# Completed on Fri Aug  5 12:05:21 2016
121# Generated by iptables-save v1.4.21 on Fri Aug  5 12:05:21 2016
122*filter
123:INPUT ACCEPT [0:0]
124:FORWARD ACCEPT [0:0]
125:OUTPUT ACCEPT [1919640:2207772838]
126:FORWARD_IN_ZONES - [0:0]
127:FORWARD_IN_ZONES_SOURCE - [0:0]
128:FORWARD_OUT_ZONES - [0:0]
129:FORWARD_OUT_ZONES_SOURCE - [0:0]
130:FORWARD_direct - [0:0]
131:FWDI_public - [0:0]
132:FWDI_public_allow - [0:0]
133:FWDI_public_deny - [0:0]
134:FWDI_public_log - [0:0]
135:FWDI_trusted - [0:0]
136:FWDI_trusted_allow - [0:0]
137:FWDI_trusted_deny - [0:0]
138:FWDI_trusted_log - [0:0]
139:FWDO_public - [0:0]
140:FWDO_public_allow - [0:0]
141:FWDO_public_deny - [0:0]
142:FWDO_public_log - [0:0]
143:FWDO_trusted - [0:0]
144:FWDO_trusted_allow - [0:0]
145:FWDO_trusted_deny - [0:0]
146:FWDO_trusted_log - [0:0]
147:INPUT_ZONES - [0:0]
148:INPUT_ZONES_SOURCE - [0:0]
149:INPUT_direct - [0:0]
150:IN_public - [0:0]
151:IN_public_allow - [0:0]
152:IN_public_deny - [0:0]
153:IN_public_log - [0:0]
154:IN_trusted - [0:0]
155:IN_trusted_allow - [0:0]
156:IN_trusted_deny - [0:0]
157:IN_trusted_log - [0:0]
158:OUTPUT_direct - [0:0]
159-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
160-A INPUT -i lo -j ACCEPT
161-A INPUT -j INPUT_direct
162-A INPUT -j INPUT_ZONES_SOURCE
163-A INPUT -j INPUT_ZONES
164-A INPUT -p icmp -j ACCEPT
165-A INPUT -j REJECT --reject-with icmp-host-prohibited
166-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
167-A FORWARD -i lo -j ACCEPT
168-A FORWARD -j FORWARD_direct
169-A FORWARD -j FORWARD_IN_ZONES_SOURCE
170-A FORWARD -j FORWARD_IN_ZONES
171-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
172-A FORWARD -j FORWARD_OUT_ZONES
173-A FORWARD -p icmp -j ACCEPT
174-A FORWARD -j REJECT --reject-with icmp-host-prohibited
175-A OUTPUT -j OUTPUT_direct
176-A FORWARD_IN_ZONES -i enp7s0f1 -g FWDI_public
177-A FORWARD_IN_ZONES -i enp6s0f0 -j FWDI_trusted
178-A FORWARD_IN_ZONES -g FWDI_public
179-A FORWARD_OUT_ZONES -o enp7s0f1 -g FWDO_public
180-A FORWARD_OUT_ZONES -o enp6s0f0 -j FWDO_trusted
181-A FORWARD_OUT_ZONES -g FWDO_public
182-A FWDI_public -j FWDI_public_log
183-A FWDI_public -j FWDI_public_deny
184-A FWDI_public -j FWDI_public_allow
185-A FWDI_trusted -j FWDI_trusted_log
186-A FWDI_trusted -j FWDI_trusted_deny
187-A FWDI_trusted -j FWDI_trusted_allow
188-A FWDI_trusted -j ACCEPT
189-A FWDO_public -j FWDO_public_log
190-A FWDO_public -j FWDO_public_deny
191-A FWDO_public -j FWDO_public_allow
192-A FWDO_trusted -j FWDO_trusted_log
193-A FWDO_trusted -j FWDO_trusted_deny
194-A FWDO_trusted -j FWDO_trusted_allow
195-A FWDO_trusted -j ACCEPT
196-A INPUT_ZONES -i enp7s0f1 -g IN_public
197-A INPUT_ZONES -i enp6s0f0 -j IN_trusted
198-A INPUT_ZONES -g IN_public
199-A IN_public -j IN_public_log
200-A IN_public -j IN_public_deny
201-A IN_public -j IN_public_allow
202-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
203-A IN_trusted -j IN_trusted_log
204-A IN_trusted -j IN_trusted_deny
205-A IN_trusted -j IN_trusted_allow
206-A IN_trusted -j ACCEPT
207COMMIT
208# Completed on Fri Aug  5 12:05:21 2016

Is this really our future?

@soar
Author
@soar
Senior SRE/DevOps engineer

Related

ipset-persistent — sysv init for ipset
·230 words·2 mins· loading · loading
Sysadmin Linux Firewall
iptables-persistent but for ipset
WiMP
·33 words·1 min· loading · loading
Sysadmin Linux Multicast
Multicast MPEG-TS sequence debug tool (Win32)
Linux remote reinstall
·1798 words·9 mins· loading · loading
Sysadmin Linux
What if we have only remote access and no free space on the disk?