Why is iptables not blocking any ports?

Question

I have iptables running and the most recent rules applied (i.e. I restarted the service and it says everything is "OK").

I have only used system-config-firewall to edit/define any rules, so I shouldn't have a manually created mistake. If I can avoid it, I don't want to edit it manually.

I thought I had it configured so that my Apache ports 80 and 443 would be open, but not the ones Tomcat is listening on (i.e. 8080, 8443). Yet, this is not so... I can browse to them with no problem on any machine.

Ultimately I do want the Tomcat ports accessible, but I don't understand why they already are. I expected I would need to explicitly open them.

Further, before I added the rules to explicitly open them, all of my mail ports were accessible as well (110, 143, 587, 993, 995...) Again, I do want those open but I don't understand why they always were?

Here is my iptables output. Why does everything seem to be open? It is perhaps because there are no OUTPUT rules? Also, why are there seemingly duplicate rules? Does system-config-firewall not control for such duplicates? How can I clean that up? Only through a manual edit I suppose...

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2834  692K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        5   511 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3       14   990 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4      114  6717 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
8        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
10       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
11       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
12       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
13       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
14       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
15       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
16       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
17       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
18       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
19       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
20       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
21       0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
6        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 3208 packets, 1537K bytes)
num   pkts bytes target     prot opt in     out     source               destination

score 5 · Accepted Answer · answered Nov 10 '15 at 17:42

5

See line 3, 4 and 5 in INPUT chain - those rules allows any packets for any ports comming from interfaces eth0, eth1 and lo to pass. IPTables works with first-match-rule, so when packet gets first rule which allows/deny it, it is applied. You should set only rules to exact ports and reject any other traffic.

answered Nov 10 '15 at 17:42

Ondra Sniper Flidr

2,653
12
18

Those rules for eth0, eth1, and lo were there before I did anything. Is it safe to keep lo open completely? That's local, right? I don't know what ethernet 0 or 1 actually are. What I really want to avoid is locking myself out of an SSH connection. How do I determine if I can drop those rules? – BuvinJ Nov 10 '15 at 21:31
Also, do you know if it is possible to adjust the order of these rules using system-config-firewall? That seems critical based on what you said about the "first-match-rule". – BuvinJ Nov 10 '15 at 21:32
Thanks for you help, btw! Your answer makes perfect sense. – BuvinJ Nov 10 '15 at 21:33
I took the risk and disabled those. It worked! My ports are now blocked as I expected. Plus, I was thankfully not locked out of my ssh connection. – BuvinJ Nov 10 '15 at 22:47
eth0 an eth1 were marked in the system-config-firewall gui as "Trusted Interfaces" w/ full access to the system. After disabling those they don't show up in that list anymore. Perhaps my hosting provider added those? – BuvinJ Nov 10 '15 at 23:19
My duplicates it turns out were caused by selecting "services" to trust, plus adding the corresponding port. For instance, I had "http" enabled as as a service, plus I had added 80. I removed my manual addition of 80, and now there is one rule for that. – BuvinJ Nov 10 '15 at 23:22
@BuvinJ One little thing you can do to prevent yourself getting locked out of SSH, is to just make sure you ACCEPT all ESTABLISHED traffic above all REJECT/DROP/etc lines, and then you can leave your connection open and try to open a new one. If the new one fails, you know you need to fix stuff before logging out. :) – BenjiWiebe Nov 11 '15 at 01:12
eth0 and eth1 are network interfaces to LAN, I think it will be public network and one private network. lo is loopback or localhost. – Ondra Sniper Flidr Nov 11 '15 at 07:22

Why is iptables not blocking any ports?

1 Answers1