iptablesEdit

Created , updated

See

Default RHEL ruleset

Explained here and here:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

In short:

  • all inbound packets on the loopback interface are accepted
  • all ICMP (ping) traffic is accepted
  • ports 50 and 51 are related to IPSec and are accepted:
esp     50      IPSEC-ESP       # Encap Security Payload [RFC2406]
ah      51      IPSEC-AH        # Authentication Header [RFC2402]
  • port 5353 is Apple’s Digital Audio Access Protocol (DAAP) and is accepted
  • port 631 is for CUPS, the "Common UNIX Print System":
ipp             631/tcp                         # Internet Printing Protocol
ipp             631/udp                         # Internet Printing Protocol
  • packets pertaining or related to established connections are accepted
  • inbound connections to port 22 (SSH) are accepted
  • everything else is rejected

Related articles in this wiki