Craig White wrote:
I tried this in steps. I added the new rule. At first I didn't do the 'service iptables save' or 'service iptables restart'. The new rule appends to the existing chain and I still could not connect to the server (as expected).On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote:
--------------------------------------------------------------------------------------------------------------------- Here is a list of all the iptables chains:
[root@bobcp4 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
-------------------------------------------------------------------------------------------------------------------------
now suppose I independently add a rule like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -s 192.168.1.0/24 -j ACCEPT
the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, right after that REJECT. So a datagram for port 3306 will traverse the chain, hit the REJECT, and get blown away without ever being inspected by the new rule appearing after the REJECT.
Am I on the right track here?
---- why don't you try it? and then service iptables save service iptables restart iptables -L and see what happens then?
Craig
Then I did a 'service iptables save' which saved the firewall rules, in the order shown by 'iptables -L', to file /etc/sysconfig/iptables. This was unacceptable because it the saved rules would later be added to the chain in the wrong order.
Then I manually edited /etc/sysconfig/iptables and moved the new ACCEPT rule before the final REJECT rule. I did a 'service iptables restart' and listed the chain out. That was better -- the rule was in the right place. And the connection attempt from a different host succeeded, too.
Thanks, this has got me started in the direction I need.
Bob
