Standard RH iptables analysis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



This is a standard RedHat / CentOS firewall configuration, where I
told it, through the standard RH setup GUI, that I want ssh and
snmp allowed through.

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         
  RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
  
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
  
  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         
  
  Chain RH-Firewall-1-INPUT (2 references)
  target     prot opt source               destination         
  ACCEPT     all  --  anywhere             anywhere            
  ACCEPT     icmp --  anywhere             anywhere            icmp any 
  ACCEPT     ipv6-crypt--  anywhere             anywhere            
  ACCEPT     ipv6-auth--  anywhere             anywhere            
  ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353 
  ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
  ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
  ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:snmp 
  ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
  REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

The way I read this, though, the first rule in the RH-Firewall-1-INPUT
chain applies to all packets coming in, which it accepts.  That's all
protocols from "anywhere" going to "anywhere".

So shouldn't the packet no longer be evaluated past that rule?

I know that when I have this enabled, it's stopping packets.  So I'm
reading this wrong.  What am I getting wrong?

   === Al



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux