•  15-06-2023
  •  | 
  •  

Question

I have next /etc/sysconfig/iptables rules (default setting after instalation):

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92:28264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

After adding a role like this:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

should at this point port 80 be open? After I save iptables like this:

service iptables save

I get 

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92:28264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Which does not work, I wold expect a new rule to be one line higher, what do you think? I am using centOS. Also, what is the best practice here, should I just change the file and restart the iptables, is that better? Thank you very much.

Était-ce utile?

La solution

After changing file /etc/sysconfig/iptables you must restart iptables:

/etc/init.t/iptables restart

OR

service iptables restart

But when you write iptables commands in bash you must do:

/etc/init.d/iptables save

OR

service iptables save

Try to modify /etc/sysconfig/iptables file to:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT --protocol icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp --protocol tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp --protocol tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

This is also correct to enter iptables commands in bash:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

If you are using debian based or any distro this is recommended to enter iptables command in bash(terminal) because /etc/sysconfig/iptables is just exsisted in redhat based distros...

UPDATE

If you want to run iptables command in bash terminal it is better to remove your rules first...You can run this bash script:

#!/bin/bash 

iptables -F
iptables -X

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

/etc/init.d/iptables save

Autres conseils

-A INPUT means append to chain INPUT, so the rule goes on the end. You want -I INPUT 4 to insert the rule into the chain before the REJECT rule.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top