Enable Firewall, But Allow Specific Inbound Connections

Craig White craigwhite at azapple.com
Tue Feb 1 01:59:44 UTC 2005 

On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:

> ---------------------------------------------------------------------------------------------------------------------
> Here is a list of all the iptables chains:
> 
> [root at bobcp4 ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     ipv6-crypt--  anywhere             anywhere
> ACCEPT     ipv6-auth--  anywhere             anywhere
> ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
> ACCEPT     all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:https
> ACCEPT     tcp  --  anywhere             anywhere            state NEW 
> tcp dpt:ssh
> REJECT     all  --  anywhere             anywhere            reject-with 
> icmp-host-prohibited
> 
> -------------------------------------------------------------------------------------------------------------------------
> 
> now suppose I independently add a rule like this:
> 
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 
> -s 192.168.1.0/24 -j ACCEPT
> 
> the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, 
> right after that REJECT.  So a datagram for port 3306 will traverse the 
> chain, hit the REJECT, and get blown away without ever being inspected 
> by the new rule appearing after the REJECT. 
> 
> Am I on the right track here?
----
why don't you try it?
and then
service iptables save
service iptables restart
iptables -L
and see what happens then?

Craig

More information about the fedora-list mailing list