I think part of the problem stems from inexperience and you giving us incomplete information to start with:
- for instance the "/lib64/xtables/libipt_accept.so" warning shows you didn't realize Linux is case sensitive (it's "-j ACCEPT"),
- the fact /etc/sysconfig/iptables doesn't exist means it's either deleted (make backups!) or never initialized (see 'system-config-securitylevel'),
- the iptables commands you use each time result in an incomplete rule set and
- the "Chain TALLOW" reference indicates that, for whatever undisclosed reason, you chose to installed and use APF instead of the /etc/sysconfig/iptables rule set (so modifying the latter doesn't make sense).
- Besides that you run some blocking tools that, since you don't list iptables rules the proper way (easiest is to use 'iptables-save > /path/to/savefile'), may block things easily if ill configured.
I suggest you revisit your decision and use the Netfilter interface you are most comfortable with, uninstall anything that covers your "3) Installed few firewalls" in your initial post and then use the chosen tools or Centos documentation in conjunction with
http://www.frozentux.net/documents/iptables-tutorial/.
For clarity this is a more default /etc/sysconfig/iptables:
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
...and this sums up much of what you want:
Code:
*filter
# [0]
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# [1]
-A INPUT -p icmp --icmp-type any -j ACCEPT
# [2]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# [3]
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 1/minute --limit-burst 3 -j LOG --log-prefix "INVALID "
-A INPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
# [4]
-A INPUT -p tcp -m multiport --dports 80,8080 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# [5]
-A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-prefix "REJECT "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0. Your requirement of "block everything, except.." is a policy thing. I also changed the input chain name because a) IMO "RH-Firewall-1-INPUT" is too long and b) I only edit the rule set by hand.
1. Rule below should actually contain only the type:code pairs you allow for ping and traceroute diagnostics.
2. Possibly tune rule order afterwards watching
Code:
watch -n 1 "/sbin/iptables -nvx --line-numbers -t filter -L INPUT|grep ^[0-9]|sort -bgrk 2"
for some time.
3. The most important thing to know wrt any troubleshooting is watchihng the logs. Iptables allows you to create rules that log traffic.
4. There's lots of modules for iptables to use. To get help on default modules you can always '/sbin/iptables -m modulename --help' or 'man iptables'.
5. Dropping anything else provides remote hosts an indication of what is denied.
YMMV(VM) so test the rule set before using it: save the above code as /etc/sysconfig/iptables then run 'service iptables start'.
HTH