Rob Kampen wrote:
Carlos Santana wrote:
- What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a
predefined chain, although not mentioned in wiki.
- The wiki page approach is to flush existing rules and then add
required rules to iptables. Is it possible to add/append required rules without flushing existing set of rules? Not sure, but I think this is where 'RH-Firewall-1-INPUT' chain comes into picture (user defined rules).
Any explanation or resource link on this would be really helpful.
Try using webmin - there are rpm available for it and the interface helps deal with the cryptic items that make up an iptable filter. The reason for the RH-Firewall-1-INPUT chain means you can use the same rule set for multiple items - i.e. both input and forward.
I also find it useful to create different chains for different network traffic. For example, I have a chain that allows all web access - ports 80, 443, 8080 etc. I have a different chain for file-share access - e.g. NFS and Samba. This way, I can watch what is happening with those chains specifically, without wading through the significant output of the command "iptables -nvL".
By using different chains, I can issue a command like "watch -d iptables -nvL CentOS-MAIL" to monitor network traffic on related ports. This has helped me many times in the past to see where network traffic is being blocked or given access.
Just my 2c worth :)
Ian