Archive for March, 2011

Linux:Iptables rules for different services

Sunday, March 20th, 2011

Bellow information for nfs server:

 vi /etc/sysconfig/nfs

Now reboot the services

# service portmap restart
# service nfs restart
# service rpcsvcgssd restart

Now add rules into iptables

-A RH-Firewall-1-INPUT -s -p udp -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p udp -m udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p udp -m udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p udp -m udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p tcp -m tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s -p udp -m udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Selinux commands for services

Saturday, March 5th, 2011

(a)Selinux Requirement for NIS Clients

setsebool -P allow_ypbind=1 ypbind_disable_trans=1 yppasswdd_disable_trans=1

Use getsebool command to verify :

getsebool allow_ypbind ypbind_disable_trans yppasswdd_disabled _trans

allow_ypbind -> on
ypbind_disable_trans –>on
yppasswdd_disable_trans –> on

b) Selinux for vsftpd

getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off

allow user to read and write to their own home directory

setsebool -P ftp_home_dir 1

(c) Selinux for Samba Share

If you want to share /data via samba

chcon -R -t samba_share_t /data

If you want to share home directory

setsebool -P samba_enable_home_dirs 1