[CentOS] Understanding iptables
Spiro Harvey, Knossos Networks Ltd
spiro at knossos.net.nz
Sun Jul 13 22:30:47 UTC 2008
>> > Could you post /etc/sysconfig/iptables?
>> /etc/sysconfig/iptables doesn't necessarily reflect what is running
>> right now, and you can't include the counters with it.
> I'm not interested in the counters I want to see how the rules are
I think he's trying to tell you that any changes made since the *last*
write to /etc/sysconfig/iptables won't be reflected in that file. Or
rather, what if that file has been written to, but not read from? The
fact remains that "iptables -L" is more useful because it is a live state.
In fact, I've got a few machines where all my rules are only kept in
running memory. They're all activated/reactivated/modified using
scripts. No state is stored on disk.
> [snip]
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> [/snip]
> What are we accepting here? All packets? If this is the case then there is
> no need for the rest of the rules in this chain.
depends on the INPUT rule that references this. but yes, once a packet
has been filtered to get here, then it will be accepted.
see? you can read this output.
--
Spiro Harvey Knossos Networks Ltd
021-295-1923 www.knossos.net.nz
More information about the CentOS
mailing list