I think part of the problem stems from inexperience and you giving us incomplete information to start with:
- for instance the "/lib64/xtables/libipt_accept.so" warning shows you didn't realize Linux is case sensitive (it's "-j ACCEPT"),
- the fact /etc/sysconfig/iptables doesn't exist means it's either deleted (make backups!) or never initialized (see 'system-config-securitylevel'),
- the iptables commands you use each time result in an incomplete rule set and
- the "Chain TALLOW" reference indicates that, for whatever undisclosed reason, you chose to installed and use APF instead of the /etc/sysconfig/iptables rule set (so modifying the latter doesn't make sense).
- Besides that you run some blocking tools that, since you don't list iptables rules the proper way (easiest is to use 'iptables-save > /path/to/savefile'), may block things easily if ill configured.

I suggest you revisit your decision and use the Netfilter interface you are most comfortable with, uninstall anything that covers your "3) Installed few firewalls" in your initial post and then use the chosen tools or Centos documentation in conjunction with http://www.frozentux.net/documents/iptables-tutorial/.


For clarity this is a more default /etc/sysconfig/iptables:

...and this sums up much of what you want:
0. Your requirement of "block everything, except.." is a policy thing. I also changed the input chain name because a) IMO "RH-Firewall-1-INPUT" is too long and b) I only edit the rule set by hand.
1. Rule below should actually contain only the type:code pairs you allow for ping and traceroute diagnostics.
2. Possibly tune rule order afterwards watching
for some time.
3. The most important thing to know wrt any troubleshooting is watchihng the logs. Iptables allows you to create rules that log traffic.
4. There's lots of modules for iptables to use. To get help on default modules you can always '/sbin/iptables -m modulename --help' or 'man iptables'.
5. Dropping anything else provides remote hosts an indication of what is denied.

YMMV(VM) so test the rule set before using it: save the above code as /etc/sysconfig/iptables then run 'service iptables start'.


HTH

After this line, I am not able to access server

Please quote the appropriate post because I don't know who you are replying to. I'm certain it wasn't mine though. I never told you to issue the commands you posted and I told you to test the rule set before using it. The latter implies running it elsewhere, locally or say on a virtualization guest, before using it in production.

agriz says there is no

in his system

@agriz

I think after I asked you to check the output

whether all the rules are deleted or still there...
why you are using

Try this to check for your config file as I have shown for mine

No need for scratching heads: just read my post again (line 3). Other than that I'll leave you to it wrestling with iptables, APF and whatever else the OP seems to have installed. Good luck!

Right now, I am not able to access the server. Please kindly stay with me to help me on this.
I will soon get access. I shouldn't have entered the drop rule.

Hi, I got the access again. IPTABLES is stopped now.

I Enabled IPTABLES

Am i good to enter
?!?!

No. As per the "default" config given by Unspawn here, you are missing the defaults. If you DROP by default there, any outbound connection you make won't be allowed back in etc. http://www.linuxquestions.org/questi...ml#post4540053

I would say stop iptables and recreate the sysconfig/iptables file. I'll admit I've no experience with APF though, so I'm unclear how any config you've got from installing that (why did you install it?) might affect the loading of the normal config file. Running a "service iptables save", does the etc/sysconfig/iptables file get created with the few lines you've added? if so I presume it's safe to replace that file with the default (plus your additions) OR Unspawns first draft of a finished rulebase and start iptables up again.

APF is settings have been disabled.
etc/sysconfig/iptables - I can see this file now.

Where is default file located?
If i replace, Should i block and unblock the required ports?

Hi I just fixed the iptables issues.

Site is loading.
But I am not able to use wget to download files, yum to install.

The settings are



I think it is because of OUTPUT is only ESTABLISHED, Not NEW

Is it secured setting?
Will it run the site properly?

Thanks for your helps.

[I was blocked last time because i didn't allow the ssh port and denied all the ports. very funny mistake!]

You did, eh?


...dead wrong.


For you it may be but for those who are (still) trying to help you it is not. You say "Yes, I agree" when cautioned but I wonder if you really understand what agreeing actually means. You have been given advice, documents to read and examples to boot and yet you blithely ignore about everything. If there is a language barrier or a lack of basic Linux knowledge or if you are just not that interested then please say so.

I did read documents!
After that only i created those new rules.

I didn't post the sshd port rule here. I have changed the sshd port to 22 to something else.
Why do you say it is wrong?

It really hurts when you tell that i am not interested!
With my one week linux knowledge, I am trying my best to secure the site.

I don't know why do you say i am not interested