@Simon<br>When you switch off IPTables, it implies there are no rules rather no packet filtering taking place and as such anyone who knows what he/she doing will most definitely turn your system into what they want depending on open ports as well as publicly available services running on the server.<br>
<br>Assuming you are not running any of the bundled firewall Os&#39;s you could start by setting up a virtualbox on your machine and create a virtual network with one of the VM objects being the firewall from there you could do all sorts of tests and scenarios while documenting results. The best scenario is what you implement, by first flushing out your current IPTables settings then build it again.<br>
<br>Another thing, stop all services you dont require in your server as well as SELinux, that combination is not very good.<br><br><a href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables</a><br>
<br>Would be a good place to start<br><br><br><div class="gmail_quote">On Sat, Sep 18, 2010 at 11:07 AM, Simon Mbuthia <span dir="ltr">&lt;<a href="mailto:simon.mbuthia@gmail.com">simon.mbuthia@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Good points... but something that I was fearing has come to happen.<br><br>I got to the office this morning after disabling iptables yesternight to find that clients could not access the internet. On talking to guys at our ISP, they said that they could reach our public IP. We could not reach our firewall&#39;s gateway... right then I knew it was something to do with iptables... so I ran service iptables status and there were no rules in iptables. vi /etc/sysconfig/iptables showed that the rules were intact in the file, so I restarted iptables and enabled SELinux.</blockquote>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> But I noticed that every 6 or so minutes, iptables would fail again. I suspect that my Linux box could be compromised. I only had ports 22, 80 and stunnel listening at 20000 accessible from the outside world. So far I have added an entry to crontab that restarts iptables every 5 minutes while I &quot;investigate&quot;. What could have happened to my iptables?<br>



<br><br>A concerned me....<div><div></div><div class="h5"><br><br><div class="gmail_quote">On 17 September 2010 18:22, [ Brainiac ] <span dir="ltr">&lt;<a href="mailto:arebacollins@gmail.com" target="_blank">arebacollins@gmail.com</a>&gt;</span> wrote:<br>


<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I evaluated these and had a breeze of a time with clear os and psense,<br>
but as accurately indicated, iptables are as good as you set them.<br>
<div><br>
On Friday, September 17, 2010, Nd&#39;wex Common &lt;<a href="mailto:flexycat@gmail.com" target="_blank">flexycat@gmail.com</a>&gt; wrote:<br>
&gt; @Simon<br>
&gt;<br>
&gt; For starters, enabling SELinux will indeed give you some sleepless nights and would be best if you disabled it.<br>
&gt; The security of your system/network is dependent on how well you configure iptables.<br>
&gt;<br>
&gt; Zentyal and other bundled network management systems eg ClearOS [based on centos also web-based interface] can be good admin. products but you need to fully understand what they can do and what they cannot with relation to your needs.<br>




&gt;<br>
&gt; my thoughts<br>
&gt;<br>
&gt; On Fri, Sep 17, 2010 at 3:50 PM, Simon Mbuthia &lt;<a href="mailto:simon.mbuthia@gmail.com" target="_blank">simon.mbuthia@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi guys,<br>
&gt;<br>
&gt; I have been running a CentOS firewall for a few months, but it seems to me like the machine is posessed by something. All of a sudden no port is open from outside except ssh which I&#39;d like to be accessible only from within my LAN. The problem is SELINUX. I&#39;m a bit apprehensive about disabling SELINUX [and only use iptables] though I don&#39;t know what security risks I&#39;d be exposing myself to by so doing - if any. Thanks to one skunkmaster Jangita, I have learnt about Zentyal, a Ubuntu/Debian-based ... thingie that comes bundled with a number of services [firewall, IDS etc] which can be administered thru a sleek web-based interface.<br>




&gt;<br>
&gt; My question/s is/are: would it be safe for me to use iptables only and disable SELINUX? Is Zentyal formidable enough to use as a security solution for a small business network? And why does SELinux have to be such a pain in the neck???<br>




&gt;<br>
&gt;<br>
&gt;<br>
&gt; Me.<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; Skunkworks mailing list<br>
&gt; <a href="mailto:Skunkworks@lists.my.co.ke" target="_blank">Skunkworks@lists.my.co.ke</a><br>
&gt; <a href="http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks" target="_blank">http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks</a><br>
&gt; ------------<br>
&gt; Skunkworks Server donations spreadsheet<br>
</div>&gt; Skunkworks Server Harambee &lt;<a href="http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en" target="_blank">http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en</a>&gt;<br>




<div>&gt; ------------<br>
&gt; Skunkworks Rules<br>
&gt; <a href="http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94" target="_blank">http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94</a><br>
&gt; ------------<br>
&gt; Other services @ <a href="http://my.co.ke" target="_blank">http://my.co.ke</a><br>
&gt;<br>
&gt;<br>
<br>
</div>--<br>
Regards,<br>
<br>
Collins Areba.<br>
Strategic Operations.<br>
Center for Renewable Alternatives<br>
Old Ferry Road, off Msa Malindi Rd,<br>
Kilifi, Kenya.<br>
+254 720 516758<br>
+254 734 696821<br>
skype/gtalk/twitter: arebacollins<br>
<br>
*Solar    *|   * Wind   *| *   Waves *  |  * Biomass *<br>
<div><div></div><div>_______________________________________________<br>
Skunkworks mailing list<br>
<a href="mailto:Skunkworks@lists.my.co.ke" target="_blank">Skunkworks@lists.my.co.ke</a><br>
<a href="http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks" target="_blank">http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks</a><br>
------------<br>
Skunkworks Server donations spreadsheet<br>
<a href="http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en" target="_blank">http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en</a><br>




------------<br>
Skunkworks Rules<br>
<a href="http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94" target="_blank">http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94</a><br>
------------<br>
Other services @ <a href="http://my.co.ke" target="_blank">http://my.co.ke</a></div></div></blockquote></div><br>
</div></div><br>_______________________________________________<br>
Skunkworks mailing list<br>
<a href="mailto:Skunkworks@lists.my.co.ke">Skunkworks@lists.my.co.ke</a><br>
<a href="http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks" target="_blank">http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks</a><br>
------------<br>
Skunkworks Server donations spreadsheet<br>
<a href="http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en" target="_blank">http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&amp;hl=en</a><br>

------------<br>
Skunkworks Rules<br>
<a href="http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94" target="_blank">http://my.co.ke/phpbb/viewtopic.php?f=24&amp;t=94</a><br>
------------<br>
Other services @ <a href="http://my.co.ke" target="_blank">http://my.co.ke</a><br></blockquote></div><br>