Iptables appends rule default after "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

Solution 1:

The -A command to iptables simply "appends" a rule. So if you're existing ruleset looks like this:

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

And you run:

# /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

Then of course this will end up after the REJECT rule (because you told it to append the rule to the existing rulset). You have a few choices:

1. You can simply edit /etc/sysconfig/iptables by hand, insert the rules you want, and run service iptables restart.
2. You can use the lokkit tool to modify the firewall instead. E.g., lokkit -p 80:tcp. This will automatically update /etc/sysconfig/iptables as well as the active firewall.
3. You can use the -I <num> flag to iptables to insert the rule at the specified position in the list. The --line-numbers flag can be useful for figuring out what <num> should be. You'll need to run service iptables save after making changes this way.

If you really want to be able to do this sort of thing using just append commands, you'll need to perform a little setup first. Create a new chain (called, maybe, allow_services):

iptables -N allow_services

And add a rule to your INPUT chain in the appropriate place that jumps to this new chain:

iptables -I INPUT 5 -j allow_services

And from that point on, you can simply append new services to the allow_services chain:

iptables -A allow_services -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

Assuming that you place your jump rule (the -j option) before the final REJECT this will do what you seem to be asking.