[CentOS] Standard RH iptables analysis

Al Sparks data345 at yahoo.com
Thu Jun 7 01:02:01 UTC 2007


--- Al Sparks <data345 at yahoo.com> wrote:

> This is a standard RedHat / CentOS firewall configuration, where I
> told it, through the standard RH setup GUI, that I want ssh and
> snmp allowed through.
> 
>   Chain INPUT (policy ACCEPT)
>   target     prot opt source               destination         
>   RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
>   
>   Chain FORWARD (policy ACCEPT)
>   target     prot opt source               destination         
>   RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
>   
>   Chain OUTPUT (policy ACCEPT)
>   target     prot opt source               destination         
>   
>   Chain RH-Firewall-1-INPUT (2 references)
>   target     prot opt source               destination         
>   ACCEPT     all  --  anywhere             anywhere            
>   ACCEPT     icmp --  anywhere             anywhere            icmp any 
>   ACCEPT     ipv6-crypt--  anywhere             anywhere            
>   ACCEPT     ipv6-auth--  anywhere             anywhere            
>   ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353 
>   ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
>   ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
>   ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:snmp 
>   ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
>   REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
> 
> The way I read this, though, the first rule in the RH-Firewall-1-INPUT
> chain applies to all packets coming in, which it accepts.  That's all
> protocols from "anywhere" going to "anywhere".
> 
> So shouldn't the packet no longer be evaluated past that rule?
> 
> I know that when I have this enabled, it's stopping packets.  So I'm
> reading this wrong.  What am I getting wrong?
> 
>    === Al

I found the answer to my own question.  The above output is from a
   # iptables -L

But I looked at the /etc/sysconfig/iptables file and:
   -A FORWARD -j RH-Firewall-1-INPUT
   -A RH-Firewall-1-INPUT -i lo -j ACCEPT
   -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
   -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
   -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
   -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
   -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
   -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT
   -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
   -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
   COMMIT

The first RH-Firewall-1-INPUT only applies to "-i lo" or the loopback interface.

Strangely enough, that's not reflected in the 
   # iptables -L
output.
   === Al



More information about the CentOS mailing list