Joel Ginsberg asked:
I have a test server which has the following IPtables configuration:
[[email protected] /]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
When I tried to access an application listening on port 8445, it was rejected. Once I added a rule to specifically allow tcp traffic to 8445, then I could access it. My question is why does the above configuration not allow port 8445 by default if I have the rule “ACCEPT all — anywhere anywhere”?
Because of a long standing design flaw with the
iptables command. The complete firewall rule is not shown unless you use the
--verbose option. Once you do this, you will see that that rule accepts all traffic – on the
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.