Here is the output of iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I want to open port 8140 so other puppet clients can communicate with the puppet master, so I tried adding this rule:
iptables -I INPUT 2 -p tcp --dport 8140 -j ACCEPT
But it didn't work. If it helps, the output of iptables-save is
# Generated by iptables-save v1.3.5 on Mon Jun 21 17:07:33 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [605:28389]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m tcp --dport 8140 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun 21 17:07:33 2010
Thank you.
-
You need to update the chain named RH-Firewall-1, not INPUT.
From Tony -
If you were to add
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8140 -j ACCEPTJust before the line that reads:
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTThat should give you the desired result you are looking for.
From Jeremy Bouse -
You should be able to use system-config-security (or something like that) to modify the firewall rules. This is preferred as it is persistent and survives reboots of the server.
Jeremy Bouse : Yes, using the system-config-security is convenient but it is not generally universal between Linux systems; whereas knowing the proper way to edit the file format iptables reads is and it still survives the reboots. Having a tool and having the knowledge are two different things that an admin should have.Matt Delves : Completely agree. Though as the question stated CentOS/RedHat it is better to use their tools unless you are doing something really funky.Jeremy Bouse : Though if you've been building servers like I do those little extra packages are not installed as they are pointless for someone that knows how to do it without them. I run stripped down installations on all my systems so only what is absolutely necessary to do the task the server is assigned are installed.From Matt Delves
0 comments:
Post a Comment