1

What is the SELINUX and What is IPTABLES. What's the difference between
the both ?
SELinux
NSA Security-Enhanced Linux (SELinux) is an implementation of flexible mandatory
access control architecture in the Linux operating system. The SELinux architecture
provides general support for the enforcement of many kinds of mandatory access
control policies, including those based on the concepts of Type Enforcement, RoleBased Access Control, and Multi-Level Security. Background information and technical
documentation about SELinux can be found at http://www.nsa.gov/research/selinux.
The /etc/selinux/config configuration file controls whether SELinux is enabled or
disabled, and if enabled, whether SELinux operates in permissive mode or enforcing
mode. The SELINUX variable may be set to any one of disabled, permissive, or
enforcing to select one of these options. The disabled option completely disables the
SELinux kernel and application code, leaving the system running without any SELinux
protection. The permissive option enables the SELinux code, but causes it to operate
in a mode where accesses that would be denied by policy are permitted but audited.
The enforcing option enables the SELinux code and causes it to enforce access denials
as well as auditing them. Permissive mode may yield a different set of denials than
enforcing mode, both because enforcing mode will prevent an operation from
proceeding past the first denial and because some application code will fall back to a
less privileged mode of operation if denied access.
The /etc/selinux/config configuration file also controls what policy is active on the
system. SELinux allows for multiple policies to be installed on the system, but only one
policy may be active at any given time. At present, multiple kinds of SELinux policy
exist: targeted, mls for example. The targeted policy is designed as a policy where
most user processes operate without restrictions, and only specific services are placed
into distinct security domains that are confined by the policy. For example, the user
would run in a completely unconfined domain while the named daemon or apache
daemon would run in a specific domain tailored to its operation. The MLS (Multi-Level
Security) policy is designed as a policy where all processes are partitioned into finegrained security domains and confined by policy. MLS also supports the Bell and
LaPadula model, where processes are not only confined by the type but also the level
of the data.
You can define which policy you will run by setting the SELINUXTYPE environment
variable within /etc/selinux/config. You must reboot and possibly relabel if you change
the policy type to have it take effect on the system. The corresponding policy
configuration for each such policy must be installed in the /etc/selinux/{SELINUXTYPE}/
directories.

A given SELinux policy can be customized further based on a set of compile-time

tunable options and a set of runtime policy booleans. system-config-selinux allows
customization of these booleans and tunables.

Many domains that are protected by SELinux also include SELinux man pages
explaining how to customize their policy.
IPtables
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in
the Linux kernel. Several different tables may be defined. Each table contains a
number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what
to do with a packet that matches. This is called a target, which may be a jump to a
user-defined chain in the same table.
Differences
SELinux is a security enhancement to Linux that allows users and administrators more
control over which users and applications can access which resources, such as files.
Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the
user and applications that the user runs whereas SELinux access controls are
determined by a policy loaded on the system and not changeable by careless users or
misbehaving applications.
iptables:Iptables is used to set up, maintain, and inspect the tables of IP packet filter
rules in the Linux kernel. Several different tables may be defined. Each table contains a
number of built-in chains and may also contain user-defined chains.
2

What are the modes of SELINUX

Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy
rules.
Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials
are logged for actions that would have been denied if running in enforcing mode.
Disabled: SELinux is disabled. Only DAC rules are used.
Use the /usr/sbin/setenforce command to change between enforcing and permissive
mode. Changes made with /usr/sbin/setenforce do not persist across reboots. To
change to enforcing mode, as the Linux root user, run the /usr/sbin/setenforce 1
command. To change to permissive mode, run the /usr/sbin/setenforce 0 command.
Use the /usr/sbin/getenforce command to view the current SELinux mode.

What does SEALERT do? and What does SEMANAGE do? Explain the usage of
both?
Sealert is the user interface component (either GUI or command line) to the
setroubleshoot system. setroubleshoot is used to diagnose SELinux denials and
attempts to provide user friendly explanations for a SELinux denial (e.g. AVC) and
recommendations for how one might adjust the system to prevent the denial in the
future.
In a standard configuration setroubleshoot is composed of two components,
setroubleshootd and sealert.

sealert can be run in either a GUI mode or a command line mode. In both instances
sealert run as a user process with the privileges associated with the user. In GUI mode
it attaches to a setroubleshootd server instance and listens for notifications of new
alerts. When a new alert arrives it alerts the desktop user via a notification in the
status icon area. The user may then click on the alert notification which will open an
alert browser. In addition to the current alert sealert communicates with the
setroubleshootd daemon to access all prior alerts stored in the setroubleshoot
database.
semanage is used to configure certain elements of SELinux policy without requiring
modification to or recompilation from policy sources. This includes the mapping from
Linux usernames to SELinux user identities (which controls the initial security context
assigned to Linux users when they login and bounds their authorized role set) as well
as security context mappings for various kinds of objects, such as network ports,
interfaces, and nodes (hosts) as well as the file context mapping. See the EXAMPLES
section below for some examples of common usage. Note that the semanage login
command deals with the mapping from Linux usernames (logins) to SELinux user
identities, while the semanage user command deals with the mapping from SELinux
user identities to authorized role sets. In most cases, only the former mapping needs to
be adjusted by the administrator; the latter is principally defined by the base policy
and usually does not require modification.
4

What does SETSEBOOL do and What does GETSEBOOL do

setsebool sets the current state of a particular SELinux boolean or a list of booleans to
a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or
off to disable it.
Without the -P option, only the current boolean value is affected; the boot-time default
settings are not changed.
If the -P option is given, all pending values are written to the policy file on disk. So they
will be persistant across reboots.
If the -V option is given, verbose error messages will be printed from semanage
libraries.
getsebool reports where a particular SELinux boolean or all SELinux booleans are on
or off In certain situations a boolean can be in one state with a pending change to the
other state. Getsebool will report this as a pending change. The pending value
indicates the value that will be applied upon the next boolean commit.
The setting of boolean values occurs in two stages; first the pending value is changed,
then the booleans are committed, causing their active values to become their pending
values. This allows a group of booleans to be changed in a single transaction, by
setting all of their pending values as desired and then committing once.

I'm using ftp and I'm not able to see/access user home directories. How will I
fix this ?
setsebool -P ftp_home_dir on

In FTP, I'm not able to write as anonymous user. How will I fix this ?
setsebool -P allow_ftpd_anon_write

How can I change the SELINUX from enforcing to permissive or disabled on

the fly ?
setenforce 0

What is the change that I need to do in SELINUX to make my Linux system as

router?
/etc/selinux/config
SELINUX=disabled

What are chains that are available in IPTABLES? Where is the config file of
IPTABLES located?
Chains available in iptables INPUT chain, OUTPUT chain and FORWARD chain
Configuration file location: /etc/sysconfig/iptables-config

Write a rule to allow communication on port 3260

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3260 -j ACCEPT

Write a rule to allow communication on port 80 on from 10.1.1.0/16 network

iptables -A INPUT -s 10.1.1.0/16 -m state --state NEW -p tcp --dport 80 -j ACCEPT

Write a rule to allow all communication to anywhere from the Linux machine
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Write a rule to allow all traffic to the machine from outside

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Write a rule to NAT internal IP address to public IP address when going out
to internet
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

What is the difference between DROP and REJECT in IPTABLES

DROP policy makes it appear to peers that your host is turned off or temporarily
unreachable due to network problems.It attempts to connect to TCP services will take a
long time to fail, as clients will receive no explicit rejection message.

REJECT: It responds to the packet with a friendly message back to the

sender,something like hello i have rejected your packet. It can leave you open to D.O.S
attacks.

I miss configured the IP table rules when wrote a rule to reject traffic which
was supposed to be the last rule. Now the machine is not getting any traffic.
How will you fix it.
#services iptables stop
#service iptables save
Use iptables flush option to delete all the rules temporarily
# iptables flush
After the iptables flush, if you restart the iptables, youll see all the default rules
again.
Make the necessary changes to the saved rules i.e. (placing the current required rule at
last).

How to review current rules in IPTABLES ?

iptables L

How to add a rule in specific location of IPTABLES rules and How to delete
certain rule from IPTABLES
We can delete specific rule by their chain number and name. Find the chain number &
name using iptables list and them delete by using iptables -D INPUT 4 (4 being the
chain number)

How do you take back up IPTABLES and how do you flush certain chain in
IPTABLES
Service iptables stop
Service iptables save
Iptables -F

Explain the following command: iptables -A OUTPUT p icmp icmp-type

echo-request -j DROP
Drops outgoing requests.

Write rule to allow traffic on a range of ports - 500 to 550.

iptables -A INPUT -p tcp --destination-port -500:500 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port -500:500 -j ACCEPT

What is masquerade in IPTABLES and explain.

Accepting forwarded packets via the firewall's internal IP device allows LAN nodes to
communicate with each other; however they still cannot communicate externally to the
Internet.
To allow LAN nodes with private IP addresses to communicate with external public
networks, configure the firewall for IP masquerading, which masks requests from LAN
nodes with the IP address of the firewall's external device (in this case, eth0):
[root@10.0.8.250 ~ ] # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This rule uses the NAT packet matching table (-t nat) and specifies the built-in
POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's external networking
device (-o eth0).
POSTROUTING allows packets to be altered as they are leaving the firewall's external
device.
The -j MASQUERADE target is specified to mask the private IP address of a node with
the external IP address of the firewall/gateway.
This target is only valid in the nat table, in the POSTROUTING chain. It should only be
used with dynamically assigned IP (dialup) connections: if you have a static IP address,
you should use the SNAT target. Masquerading is equivalent to specifying a mapping
to the IP address of the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down. This is the correct behavior
when the next dialup is unlikely to have the same interface address (and hence any
established connections are lost anyway). It takes one option:
--to-ports port [-port]
This specifies a range of source ports to use, overriding the default SNAT
source port-selection heuristics (see above). This
is only valid if the rule also specifies -p tcp or -p udp.
--random
Randomize source port mapping If option --random is used then port mapping
will be randomized (kernel >= 2.6.21).
8

I want to log all the traffic that is coming into my machine. How can I do it
through IPTABLES
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG

I've added few rules in IPTABLES but when I list for all the available rules in
IPTABLES, I do not see the newly added rules in the list. How can
fix/troubleshoot ?
Service iptables stop
service iptables save
service iptables restart

10 How do I turn off iptables on runlevel 2 and 4.

#chkconfig --level 24 iptables off