Hello all, I have discovered a few things I don't understand about iptables, at least as implemented by lokkit. The following "firewall" built by hand, does nothing, as expected. ---------------------- [root@xxxxxxxxx sysconfig]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination TEST all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination TEST all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain TEST (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable [root@xxxxxxxxx sysconfig]# ------------------------- --But if I create nearly the same thing, with lokkit, (high security) and it blocks ssh. [root@xxxxxxxxx sysconfig]# lokkit [root@xxxxxxxxx sysconfig]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT udp -- monroe.patriot.net anywhere udp spt:domain ACCEPT udp -- jackson.patriot.net anywhere udp spt:domain REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable [root@xxxxxxxxx sysconfig]# ---------------------------- If, however, I manually add an additional (duplicate) first rule in the RH-Lokkit table, it's wide open again. Several questions here: 1) Why does Lokkit put that first rule in there? And since it's there, why doesn't it work? Shouldn't it cause the rest of the rules to be ignored? 2) Why does a second, identical rule get honored, (i.e. the firewall is opened up) if I add it with "iptables -I RH-Lokkit-0-50-INPUT 1 -j ACCEPT" 3) Lokkit uses options -p udp -m udp in the rules it puts in /etc/sysconfig/iptables. What's the -m option? There was a -m for mark in ipchains, but that doesn't seem relevant. This is low priority. I don't use lokkit anyway, but it would be nice to understand it.
