• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 498
  • Last Modified:

Centos5.3: iptables: help understanding config...

hello experts,

Here is my iptables config script:

[root@config confserv]# cat /SCRIPTS/myfirewall.sh
# iptables configuration script
# flush all existing rules
/sbin/iptables -F

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT     #ssh
/sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT    #samba
/sbin/iptables -A INPUT -p tcp --dport 2020 -j ACCEPT   #confserv
/sbin/iptables -A INPUT -p tcp --dport 2021 -j ACCEPT   #confserv mgmt
/sbin/iptables -A INPUT -p tcp --dport 4999 -j ACCEPT   #lca
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
/sbin/iptables -A INPUT -s -j ACCEPT        #ESXi host
/sbin/iptables -A INPUT -s -j ACCEPT      #laptop
/sbin/iptables -A INPUT -s -j ACCEPT      #oracle
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/service iptables save

/sbin/iptables -L -v

My question is what are chain #6 and 10?:

[root@config confserv]# /sbin/service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --             tcp dpt:22
2    ACCEPT     tcp  --             tcp dpt:901
3    ACCEPT     tcp  --             tcp dpt:2020
4    ACCEPT     tcp  --             tcp dpt:2021
5    ACCEPT     tcp  --             tcp dpt:4999
6    ACCEPT     all  --                              what is this?
7    ACCEPT     all  --
8    ACCEPT     all  --
9    ACCEPT     all  --
10   ACCEPT     tcp  --             tcp dpt:903    what is this?
11   ACCEPT     all  --             state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

thank you experts....

  • 2
2 Solutions
6: Accept all packets (tcp, udp) from any IP address to any IP address, no protocol or port specified (restricted)
7: Accept  all packets from IP address to any destination IP address.
8: Same as 7 but the source IP address  is different.
9: Same as previous 2 with different source IP address.
10: Accept only TCP packets from any IP to any IP address with one condition that the target (destination) port number in the packets should be 903
epifanio67Author Commented:
thank you Farzani,

So, is #6 a hole in the system?

where, in my rules above, did I do that?

thanks so much for all of your help...

Instead of "/sbin/service iptables status" try running "/sbin/iptables -L -nv". It will give you more details about the rule (out/in interface restriction).

Your script adds rule by rule so in the output you can match a rule exactly to a command you issued in the script.
So for rule #6 you can see that the rule is:
/sbin/iptables -A INPUT -i lo -j ACCEPT                 #localhost
This accepts all local loopback traffic which is OK.

And rule #10 is:
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT    #?
I have no idea why you have this enabled, however you should have - it could by for VMWare Client console for example or some other things.
epifanio67Author Commented:
got it.. thank you experts...

I will disable 903... will see what happens...

thanks again...

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now