This is a standard RedHat / CentOS firewall configuration, where I told it, through the standard RH setup GUI, that I want ssh and snmp allowed through.
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:snmp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
The way I read this, though, the first rule in the RH-Firewall-1-INPUT chain applies to all packets coming in, which it accepts. That's all protocols from "anywhere" going to "anywhere".
So shouldn't the packet no longer be evaluated past that rule?
I know that when I have this enabled, it's stopping packets. So I'm reading this wrong. What am I getting wrong?
=== Al
--- Al Sparks data345@yahoo.com wrote:
This is a standard RedHat / CentOS firewall configuration, where I told it, through the standard RH setup GUI, that I want ssh and snmp allowed through.
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:snmp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
The way I read this, though, the first rule in the RH-Firewall-1-INPUT chain applies to all packets coming in, which it accepts. That's all protocols from "anywhere" going to "anywhere".
So shouldn't the packet no longer be evaluated past that rule?
I know that when I have this enabled, it's stopping packets. So I'm reading this wrong. What am I getting wrong?
=== Al
I found the answer to my own question. The above output is from a # iptables -L
But I looked at the /etc/sysconfig/iptables file and: -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
The first RH-Firewall-1-INPUT only applies to "-i lo" or the loopback interface.
Strangely enough, that's not reflected in the # iptables -L output. === Al
Al Sparks wrote:
I found the answer to my own question. The above output is from a # iptables -L
But I looked at the /etc/sysconfig/iptables file and: -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
The first RH-Firewall-1-INPUT only applies to "-i lo" or the loopback interface.
Strangely enough, that's not reflected in the # iptables -L output.
Try 'iptables -L -v', it shows a bit more information... like the interface a rule applies to, if any.
On Wed June 6 2007 21:31, Jay Leafey wrote:
Try 'iptables -L -v', it shows a bit more information... like the interface a rule applies to, if any.
Or this for even more information with scrolling;
iptables -L -v -n | less -SCi
--On Wednesday, June 06, 2007 6:02 PM -0700 Al Sparks data345@yahoo.com wrote:
Strangely enough, that's not reflected in the # iptables -L output.
The sysconfig file shows what will be loaded on boot. To see the same information about what's in memory, use iptables-save. That's what's used by the initscript to save to the sysconfig file. It normally outputs to standard output, and the initscript redirects it to the sysconfig file.
BTW, if you have lots of rules, it's more efficient to load them with iptables-restore than individual iptables commands, because the -restore variant loads them all with one kernel operation, and hence only one locking of the table.
Quoting Al Sparks data345@yahoo.com:
This is a standard RedHat / CentOS firewall configuration, where I told it, through the standard RH setup GUI, that I want ssh and snmp allowed through.
<snip>
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:snmp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I'm not an SNMP person, but IIRC, SNMP usually runs un udp/161 not tcp/161.
Barry
-
Al Sparks -
Barry Brimer -
Jay Leafey -
Kenneth Porter -
Robert Spangler