Iptables appends rule default after “-A INPUT -j REJECT –reject-with icmp-host-prohibited”

iptables

I use iptables to open port 80 for HTTP on CentOS 6.4
I usually use vim to edit the /etc/sysconfig/iptables
But this time I use /sbin/iptables command.

# /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# service iptables save
# service iptables restart

When I list the rules I can see http like this:

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http

But I can not connect to web server from other machine
I checked the iptables file and I see the content like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [88:9264]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I had to manual put the line:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

before

-A INPUT -j REJECT --reject-with icmp-host-prohibited

and then when I restart iptables service. It worked!

So how can append new rules in a right way?
Thanks!

Best Answer

The -A command to iptables simply "appends" a rule. So if you're existing ruleset looks like this:

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

And you run:

# /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

Then of course this will end up after the REJECT rule (because you told it to append the rule to the existing rulset). You have a few choices:

You can simply edit /etc/sysconfig/iptables by hand, insert the rules you want, and run service iptables restart.
You can use the lokkit tool to modify the firewall instead. E.g., lokkit -p 80:tcp. This will automatically update /etc/sysconfig/iptables as well as the active firewall.
You can use the -I <num> flag to iptables to insert the rule at the specified position in the list. The --line-numbers flag can be useful for figuring out what <num> should be. You'll need to run service iptables save after making changes this way.

If you really want to be able to do this sort of thing using just append commands, you'll need to perform a little setup first. Create a new chain (called, maybe, allow_services):

iptables -N allow_services

And add a rule to your INPUT chain in the appropriate place that jumps to this new chain:

iptables -I INPUT 5 -j allow_services

And from that point on, you can simply append new services to the allow_services chain:

iptables -A allow_services -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

Assuming that you place your jump rule (the -j option) before the final REJECT this will do what you seem to be asking.

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Linux – Unable to make outbound SNMP connections when IPTables is enabled

You must put

ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

before RH-Firewall-1-INPUT because of on RH-Firewall-1-INPUT rules there is REJECT on the end of line, the iptables read from top to down.

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 2 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

If you want to add using command line, you can use:

 iptables -I OUTPUT 1 -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I INPUT 1 -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

It should be like:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED
 2 RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Linux – Unable to make outbound SNMP connections when IPTables is enabled

Related Topic