Iptables appends rule default after "-A INPUT -j REJECT --reject-with icmp-host-prohibited"
Solution 1:
The -A
command to iptables simply "appends" a rule. So if you're existing ruleset looks like this:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
And you run:
# /sbin/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Then of course this will end up after the REJECT
rule (because you told it to append the rule to the existing rulset). You have a few choices:
- You can simply edit
/etc/sysconfig/iptables
by hand, insert the rules you want, and runservice iptables restart
. - You can use the
lokkit
tool to modify the firewall instead. E.g.,lokkit -p 80:tcp
. This will automatically update/etc/sysconfig/iptables
as well as the active firewall. - You can use the
-I <num>
flag toiptables
to insert the rule at the specified position in the list. The--line-numbers
flag can be useful for figuring out what<num>
should be. You'll need to runservice iptables save
after making changes this way.
If you really want to be able to do this sort of thing using just append commands, you'll need to perform a little setup first. Create a new chain (called, maybe, allow_services
):
iptables -N allow_services
And add a rule to your INPUT
chain in the appropriate place that jumps to this new chain:
iptables -I INPUT 5 -j allow_services
And from that point on, you can simply append new services to the allow_services
chain:
iptables -A allow_services -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Assuming that you place your jump rule (the -j
option) before the final REJECT
this will do what you seem to be asking.