Why does ACCEPT all for all destinations in iptables not allow port 8445?

Joel Ginsberg asked:

I have a test server which has the following IPtables configuration:

[[email protected] /]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

When I tried to access an application listening on port 8445, it was rejected. Once I added a rule to specifically allow tcp traffic to 8445, then I could access it. My question is why does the above configuration not allow port 8445 by default if I have the rule “ACCEPT all — anywhere anywhere”?

My answer:


Because of a long standing design flaw with the iptables command. The complete firewall rule is not shown unless you use the -v/--verbose option. Once you do this, you will see that that rule accepts all traffic – on the lo interface!


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.