Centos 6.8 iptables question

Support for security such as Firewalls and securing linux
Post Reply
linux2016
Posts: 2
Joined: 2016/07/11 10:04:28

Centos 6.8 iptables question

Post by linux2016 » 2016/07/11 10:34:47

Hi all.

New to iptables and firewalls in general and I have a question: Just installed Centos 6.8. Used system-config-firewall-tui to configure the firewall. Then I added SSH as a trusted service, and added option for packets to be allowed on tcp:8080. When I ran iptables -L i get:

Code: Select all

[user@localhost ~]$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache 
6    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
I have 2 questions. Why is the policy for each chain set to ACCEPT and not DROP with additional rules added? Then I also want to ask about rule number 3 in the INPUT chain.
Isn't it going to allow all packets sent to this machine? (Seems like it doesn't though when I remove SSH option in system-config-firewall-tui I can't use ssh anymore)

User avatar
TrevorH
Forum Moderator
Posts: 26915
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 6.8 iptables question

Post by TrevorH » 2016/07/11 11:22:41

The policy is set to ACCEPT and not DROP because that's the way that RH decided to do it in RHEL. Since the last rule is a -j REJECT it then has the same effect as DROP except that it obeys the RFCs about how firewalls should behave and sends an icmp packet back with the reason for the rejection.

The third rule in that list is a global ACCEPT for anything originating from the localhost interface. You can see this better by running iptables-save
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

linux2016
Posts: 2
Joined: 2016/07/11 10:04:28

Re: Centos 6.8 iptables question

Post by linux2016 » 2016/07/16 10:09:57

Thanks TrevorH. Cleared it up for me :D

Post Reply

Return to “CentOS 6 - Security Support”