932
edits
Changes
m
→Part 3: Making iptables Policies Persistent: - correcting instructions for use with sudo.
Any changes to your iptables policy rules will be lost when you restart your Linux server, unless you make your iptables rules persistent. Failure to perform the following steps after setting up your firewall rules can cause confusion and wasted time.
{{Admon/important|Don't save copies of rules that libvirtd will auto-add every boot.|The libvirtd service running on your c7host automatically adds some rules to iptables to allow the machines in your virtual network comunicate with each other and the outside world. We don't want to save these, or you will end up with two (or more) copies of them in your firewall. This won't actually break anything, but it does clutter up your iptables and make them harder to read. Before you continue with this investigaion, restart your iptables. This will leave you with just the rules that exist in its saved configuration, and not the ones added by libvirtd.}}
:'''Perform the following steps:'''
# Make a backup of the file '''/etc/sysconfig/iptables''' by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bk</span></code></b>
# Make sure the default policy of your INPUT and FORWARD chains are both set to DROP.
# Delete the rule in the INPUT chain that allows SSH traffic from <b>anyone</b>, and replace it with one that only allows ssh traffic sent by your other machine(that is, your windows host, or other machine in your network).
# Note that this now means your VMs won't be able to ssh to your c7host, so add a rule that allows the entire network your VMs are on (192.168.245.0/24) to ssh to your c7host.
# Delete the rule in the INPUT chain that allows ICMP traffic from <b>anyone</b>, and replace it with one that only allows ssh traffic sent by your other machine.
# Delete the rule in your '''INPUT''' and '''FORWARD''' chains that '''REJECT'''s any traffic you haven't '''ACCEPT''ed. You are better protected by the default '''DROP''' policy you set.#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <br><b><code><span style="color:#3366CC;font-size:1.2em;">sudo iptables-save > /etc/sysconfig/iptables</span></code></b>#You will notice that even when running the command with sudo, it isn't letting you write to <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/sysconfig/iptables</span></code></b>. Use <b><code><span style="color:#3366CC;font-size:1.2em;">sudo -i</span></code></b>, then try to save them again.
# Verify that the file '''/etc/sysconfig/iptables''' exists.
# Restart your iptables service and test your configuration.
