[CentOS] iptables default configuration

Tue Jan 19 07:01:51 UTC 2010
Ian Blackwell <ian at ikel.id.au>

Rob Kampen wrote:
> Carlos Santana wrote:
>> - What does 'RH-Firewall-1-INPUT' chain means? This also seems to be a
>> predefined chain, although not mentioned in wiki.
>> - The wiki page approach is to flush existing rules and then add
>> required rules to iptables. Is it possible to add/append required
>> rules without flushing existing set of rules? Not sure, but I think
>> this is where 'RH-Firewall-1-INPUT' chain comes into picture (user
>> defined rules).
>>
>> Any explanation or resource link on this would be really helpful.
>>
>>   
> Try using webmin - there are rpm available for it and the interface
> helps deal with the cryptic items that make up an iptable filter.
> The reason for the RH-Firewall-1-INPUT chain means you can use the
> same rule set for multiple items - i.e. both input and forward.
I also find it useful to create different chains for different network
traffic.  For example, I have a chain that allows all web access - ports
80, 443, 8080 etc.  I have a different chain for file-share access -
e.g. NFS and Samba.  This way, I can watch what is happening with those
chains specifically, without wading through the significant output of
the command "iptables -nvL".

By using different chains, I can issue a command like "watch -d iptables
-nvL CentOS-MAIL" to monitor network traffic on related ports.  This has
helped me many times in the past to see where network traffic is being
blocked or given access.

Just my 2c worth :)

Ian