epifanio67
asked on
Centos5.3: iptables: help understanding config...
hello experts,
Here is my iptables config script:
------------------
[root@config confserv]# cat /SCRIPTS/myfirewall.sh
#!/bin/bash
#
# iptables configuration script
#
# flush all existing rules
/sbin/iptables -F
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT #ssh
/sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT #samba
/sbin/iptables -A INPUT -p tcp --dport 2020 -j ACCEPT #confserv
/sbin/iptables -A INPUT -p tcp --dport 2021 -j ACCEPT #confserv mgmt
/sbin/iptables -A INPUT -p tcp --dport 4999 -j ACCEPT #lca
/sbin/iptables -A INPUT -i lo -j ACCEPT #localhost
/sbin/iptables -A INPUT -s 192.168.0.1 -j ACCEPT #ESXi host
/sbin/iptables -A INPUT -s 192.168.0.120 -j ACCEPT #laptop
/sbin/iptables -A INPUT -s 192.168.0.114 -j ACCEPT #oracle
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT #?
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v
--------------------------
My question is what are chain #6 and 10?:
[root@config confserv]# /sbin/service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:901
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2020
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2021
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4999
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 what is this?
7 ACCEPT all -- 192.168.0.1 0.0.0.0/0
8 ACCEPT all -- 192.168.0.120 0.0.0.0/0
9 ACCEPT all -- 192.168.0.114 0.0.0.0/0
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:903 what is this?
11 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
thank you experts....
regards,
Here is my iptables config script:
------------------
[root@config confserv]# cat /SCRIPTS/myfirewall.sh
#!/bin/bash
#
# iptables configuration script
#
# flush all existing rules
/sbin/iptables -F
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT #ssh
/sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT #samba
/sbin/iptables -A INPUT -p tcp --dport 2020 -j ACCEPT #confserv
/sbin/iptables -A INPUT -p tcp --dport 2021 -j ACCEPT #confserv mgmt
/sbin/iptables -A INPUT -p tcp --dport 4999 -j ACCEPT #lca
/sbin/iptables -A INPUT -i lo -j ACCEPT #localhost
/sbin/iptables -A INPUT -s 192.168.0.1 -j ACCEPT #ESXi host
/sbin/iptables -A INPUT -s 192.168.0.120 -j ACCEPT #laptop
/sbin/iptables -A INPUT -s 192.168.0.114 -j ACCEPT #oracle
/sbin/iptables -A INPUT -p tcp --dport 903 -j ACCEPT #?
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v
--------------------------
My question is what are chain #6 and 10?:
[root@config confserv]# /sbin/service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:901
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2020
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2021
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4999
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 what is this?
7 ACCEPT all -- 192.168.0.1 0.0.0.0/0
8 ACCEPT all -- 192.168.0.120 0.0.0.0/0
9 ACCEPT all -- 192.168.0.114 0.0.0.0/0
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:903 what is this?
11 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
thank you experts....
regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
got it.. thank you experts...
I will disable 903... will see what happens...
thanks again...
I will disable 903... will see what happens...
thanks again...
ASKER
So, is #6 a hole in the system?
where, in my rules above, did I do that?
thanks so much for all of your help...
Regards,