I'm just reading up on iptables, finally. I'm a little confused because the input chain from the filter table (as installed, fedora 17), looks like this:
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 state NEW udp dpt:mdns REJECT all -- anywhere anywhere reject-with icmp-host-prohibited From what I've been reading, the third rule should just accept anything, but this is not the case (I have to disable iptables to allow access to sshd or an https server). All other chains for all other tables are policy ACCEPT, with no rules, except filter FORWARD which REJECTs everything.
So what does ACCEPT really do?
iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 36625 38M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 1 60 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns 534 73926 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 31484 packets, 3973K bytes) pkts bytes target prot opt in out source destination So this implies to me that third rule actually only applies to the loopback interface? [yep]
iptables -Lhas the potential to confuse the user by omitting essential information and thus leading to false conclusions; better always make itiptables -L -v.