[CentOS] Understanding iptables

Spiro Harvey, Knossos Networks Ltd spiro at knossos.net.nz
Sun Jul 13 22:30:47 UTC 2008


>>  > Could you post /etc/sysconfig/iptables?
>>  /etc/sysconfig/iptables doesn't necessarily reflect what is running
>>  right now, and you can't include the counters with it.
 > I'm not interested in the counters  I want to see how the rules are

I think he's trying to tell you that any changes made since the *last* 
write to /etc/sysconfig/iptables won't be reflected in that file. Or 
rather, what if that file has been written to, but not read from? The 
fact remains that "iptables -L" is more useful because it is a live state.

In fact, I've got a few machines where all my rules are only kept in 
running memory. They're all activated/reactivated/modified using 
scripts. No state is stored on disk.

> [snip]
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> [/snip]
> What are we accepting here?  All packets?  If this is the case then there is 
> no need for the rest of the rules in this chain.

depends on the INPUT rule that references this. but yes, once a packet 
has been filtered to get here, then it will be accepted.

see? you can read this output.




-- 
Spiro Harvey                  Knossos Networks Ltd
021-295-1923                    www.knossos.net.nz




More information about the CentOS mailing list