From 444ac7d1d7f834c59523614f70c5ab59d984479b Mon Sep 17 00:00:00 2001 From: "FeRD (Frank Dana)" Date: Fri, 23 Apr 2021 18:11:13 -0400 Subject: [PATCH] Flag iptables doc as outdated - Place a large caution box at the top of the file, warning users of the outdated information on the page and directing them to the more current "Using firewalld" quick doc. - Drop the second and third iptables section partials entirely, as it's been years since either 'system-config-firewall' or 'system-config-firewall-tui' has been available in the repos. --- .../ROOT/pages/_partials/iptables-gui.adoc | 85 ---------------- .../ROOT/pages/_partials/iptables-tui.adoc | 98 ------------------- .../pages/how-to-edit-iptables-rules.adoc | 25 +++-- 3 files changed, 17 insertions(+), 191 deletions(-) delete mode 100644 modules/ROOT/pages/_partials/iptables-gui.adoc delete mode 100644 modules/ROOT/pages/_partials/iptables-tui.adoc diff --git a/modules/ROOT/pages/_partials/iptables-gui.adoc b/modules/ROOT/pages/_partials/iptables-gui.adoc deleted file mode 100644 index 56b3eb2..0000000 --- a/modules/ROOT/pages/_partials/iptables-gui.adoc +++ /dev/null @@ -1,85 +0,0 @@ -= Graphical User Interface - -There are several graphical user interfaces available to configure iptables. - -* link:http://www.fwbuilder.org/_fwbuilder[fwbuilder]: Very complete GUI tools - to configure iptables. -* link:http://shorewall.net/_Shorewall[Shorewall]: Another very complete GUI - like fwbuilder. -* link:http://www.turtlefirewall.com/_Turtle_firewall_project[Turtle firewall - project]: Web interface and integrated to webmin. But it can not handle all - iptables options. -* link:http://users.telenet.be/stes/ipmenu.html_IPmenu[IPmenu] :A console based - interface that covers all iptables functionality. - -The following section describes yet another frontend: `system-config-firewall`. - -== system-config-firewall - -The GUI interface is similar to the text based interface just more friendly. - -The first time you start the GUI you will receive a warning. The program will -*not* load your custom configuration. So any preexisting rules will be -overwritten. - -image:Firewall_GUI_First_Time_Startup.PNG[First time -startup message,title="fig:First time startup message"] - -Before you start, you have to enable your firewall to activate the -configuration utility. - -image:FireWwall_GUI_startup.PNG[Firewall Gui startup -screen,title="Firewall Gui startup screen"] - -The initial configuration is empty and will not allow any network traffic. - -image:No_configuration.PNG[No firewall -configuration,title="No firewall configuration"] - -You can ignore the warning and start the wizard. Click _forward_: - -image:Firewall_Wizard.PNG[Firewall Wizard : welcome -screen,title="Firewall Wizard : welcome screen"] - -Choose _System with network access_ to enable the firewall. The other option -_System without network access_ would disable the firewall and don't allow -access to any network. - -image:Firewall_Wizard_2.PNG[Firewall Wizard : network -access?,title="Firewall Wizard : network access?"] - -Next, you have to choose your skill level. The *Beginner* options only -allows the configuration of _trusted services_. This option is fine if you only -want to use services like _ftp_, _dns_, _http_, etc. It does not allow you to -configure customs port ranges. If you select *Expert*, you will have access to -firewall options. You can change the skill level later via _Options_ in the -main window. - -image:Firewall_Wizard_3.PNG[Firewall Wizard : -skill?,title="Firewall Wizard : skill?"] - -You can choose from a set of default configurations to start with. The *Server* -template will only enable SSH on the firewall. The _desktop template_ enables -additional ports (_IPsec_, _multicast DNS_, _Network Printing Client_ and -_SSH_). For convenience select *Desktop* and continue: - -image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration -base?,title="Firewall Wizard : configuration base?"] - -To enable additional _trusted services_ just choose the services from the list. - -image:Firewall_Wizard_5.PNG[Firewall Main interface : -enabled,title="Firewall Main interface : enabled"] - -You can add custom rules after choosing *Other ports* from the side bar. Click -the *Add* button and either choose form services list on the right or tick -*User Defined* and fill in the requested information. - -image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports -rules.,title="Firewall GUI : edit other ports rules."] - -The other options in the sidebar *Trusted Interfaces*, *Masquerading*, *Port -Forwarding* and so on work exactly as in the text based interface. - -When you finished the configuration, click *Apply* to save and activate the -firewall. diff --git a/modules/ROOT/pages/_partials/iptables-tui.adoc b/modules/ROOT/pages/_partials/iptables-tui.adoc deleted file mode 100644 index c9803ad..0000000 --- a/modules/ROOT/pages/_partials/iptables-tui.adoc +++ /dev/null @@ -1,98 +0,0 @@ -= Text-based User Interface - -There are two ways to manage iptables rules using a text-based user -interface. These are `setup` and `system-config-firewall-tui`. If you start -`setup`, you will see something similar to the following: - -image:Firewall-tui.PNG[setup menu -utility,title="setup menu utility",width=700] - -If you select "Firewall configuration" you will see the screen below. You could -also invoke `system-config-firewall-tui`. This will take you directly to the -same screen. Make sure that "Firewall" is enabled, otherwise you cannot edit its -rule set. Continue by selecting "Customize": - -image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First -screen.,title="Firewall Configuration by TUI. First screen.",width=700] - -There is a good chance, that a service you want to modify is part of the -list of standard "trusted services". Select the services you want to -trust (i.e. open their ports) and press "Forward". (This has to be read as -"next", it has nothing to do with port forwarding): - -image:Firewall_TUI_Trusted_services.PNG[Editing trusted service with -firewall tui -interface.,title="Editing trusted service with firewall tui interface.",width=700] - -The "Other ports" menu lets you open additional ports which are not in the list -of standard trusted services: - -image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall -configuration by TUI -interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700] - -To add other ports, specify one port or a port range. Choose between -_tcp_ and _udp_ for the protocol. The port range format is: _beginningPort -- endingPort_. - -The "Trusted interfaces" menu allows you to trust all traffic on a network -interface. All traffic will be allowed and the port filtering rules will -never apply. You should only select interfaces which face private -networks. Never trust an interface that deals with traffic from networks which -are not under your full control. - -image:Firewall_TUI_trusted_interfaces.PNG[Trusted -interfaces.,title="Trusted interfaces.",width=700] - -The masquerading menu lets you select an interface to be masqueraded. -Masquerading is better known as -*https://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network -Address Translation). It is useful, to setup your computer as a gateway -between different networks: - -image:Firewall_TUI_masquerading.PNG[Firewall TUI interface : -masquerading.,title="Firewall TUI interface : masquerading.",width=700] - -Port forwarding, also known as -*https://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]* -(Port Address Translation), permits traffic from one port to be "rerouted" to -another port. - -image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface : -configuring Port -Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700] - -You have to specify source and destination, as well as the interface and protocol -accordingly: - -image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port -forwarding -rules.,title="Firewall TUI : adding port forwarding rules.",width=700] - -The ICMP Filter menu lets you reject various types of ICMP packets. By -default, no limitations are made. You may define rules to reject -ICMP traffic, define the return type to ICMP request, etc. - -image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP -behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700] - -Finally, you can add custom firewall rules. These must be prepared ahead -of time in files that use the same format for the command line interface. - -image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom -rules.,title="Firewall TUI: create custom rules.",width=700] - -For adding custom rules you have specify the protocol (i.e. _ipv4_ or -_ipv6_) and the table you want your rules add to (_filter_, _mangle_, _nat_,...) -and - of course - the file containing your rules: - -image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom -rules.,title="Firewall TUI: adding a custom rules.",width=700] - -When you have completed all menus, choose "Close" to resume to the first screen. -Select "OK" and confirm your changes by choosing "Yes". If you choose "No" you -will get back the configuration screen with no changes applied to your -firewall. - -image:Firewall_TUI_Warning.PNG[Firewall TUI -warning.,title="Firewall TUI warning.",width=700] diff --git a/modules/ROOT/pages/how-to-edit-iptables-rules.adoc b/modules/ROOT/pages/how-to-edit-iptables-rules.adoc index 423e890..ffa4e99 100644 --- a/modules/ROOT/pages/how-to-edit-iptables-rules.adoc +++ b/modules/ROOT/pages/how-to-edit-iptables-rules.adoc @@ -1,14 +1,23 @@ = How to edit iptables rules -In this how-to, we will illustrate three ways of editing iptables rules, via: +.Outdated information +[CAUTION] +==== +A newer, more flexible access control service, firewalld, +is now the default firewall manager for Fedora/CentOS. +For most regular users' needs, +firewalld has eliminated the need to edit iptables rules directly. -* Command line interface (CLI): `iptables` and system configuration file `/etc/sysconfig/iptables`. -* Text-based interfaces (TUI): `setup` or `system-config-firewall-tui` -* Graphical user interface(GUI): `system-config-firewall` +You may wish to read the <> Quick Doc instead of this document, +as the information provided here is no longer current. +It is preserved mainly for historical interest. +==== -NOTE: This how-to illustrates editing existing iptables rules, not the -initial creation of rules chains. +In this how-to, we will illustrate how to edit iptables rules +using the `iptables` command and the system configuration file +`/etc/sysconfig/iptables`. + +NOTE: This how-to illustrates editing existing iptables rules, +not the initial creation of rules chains. include::{partialsdir}/iptables-cli.adoc[leveloffset=+1] -include::{partialsdir}/iptables-tui.adoc[leveloffset=+1] -include::{partialsdir}/iptables-gui.adoc[leveloffset=+1]