iptables - command line gives different results to gui

yogaboy · 12-23-2006, 11:21 PM

Hi,

I'm trying to configure Centos 4.4 iptables so that only ports 25 and 993 are listening. I've been reading all I can on iptables but I'm having unexpected results in applying it, and can only conclude I'm a bit confused, so some guidance seems required!

I ran from the command line
sudo /sbin/iptables -L INPUT

and got this

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

but if I go to Security Level in the System Tools menu then the firewall shows as enabled, and unless I add ports 25 and 993 in the extra box at the bottom (can't view it right now, please forgive that vagueness) then the firewall blocks everything. I ran ps aux to see if it was ipchains running, but I don't see it or iptables. I've added the /etc/sysconfig/iptables below if it's any help. I can see some of the rules I've set with the gui, but I don't fully understand the file (for instance, why can't I see 993 on there?).

So, 2 questions:
a) Shouldn't both the gui and the command line show the same thing, and why aren't they?
b) can anyone suggest either a clearly written resource I can refer to, or point me in the right direction for the right files and commands to configure via the command line.

Thanks for taking the time to look at this, any help/input is much appreciated.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Brian1 · 12-24-2006, 09:22 AM

The file /etc/sysconfig/iptables is not related to the gui tool system-config-securitylevel. The file /etc/sysconfig/system-config-securitylevel contains the data the gui tool sees.

I would either edit the file you have manually or write a completely new iptables-script. Or use a tool like shorewall or firewallbuilder. Never really used them much but offer a gui to help edit.

Brian

yogaboy · 12-24-2006, 09:28 AM

thanks for the reply, much appreciated. I'll look into it a bit further.