CentOS - Jun 2007 - Standard RH iptables analysis

This is a standard RedHat / CentOS firewall configuration, where I
told it, through the standard RH setup GUI, that I want ssh and
snmp allowed through.

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         
  RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
  
  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
  
  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         
  
  Chain RH-Firewall-1-INPUT (2 references)
  target     prot opt source               destination         
  ACCEPT     all  --  anywhere             anywhere            
  ACCEPT     icmp --  anywhere             anywhere            icmp any 
  ACCEPT     ipv6-crypt--  anywhere             anywhere            
  ACCEPT     ipv6-auth--  anywhere             anywhere            
  ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353 
  ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
  ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
  ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:snmp
  ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:ssh
  REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

The way I read this, though, the first rule in the RH-Firewall-1-INPUT
chain applies to all packets coming in, which it accepts.  That's all
protocols from "anywhere" going to "anywhere".

So shouldn't the packet no longer be evaluated past that rule?

I know that when I have this enabled, it's stopping packets.  So I'm
reading this wrong.  What am I getting wrong?

   === Al

--- Al Sparks <data345 at yahoo.com> wrote:
> This is a standard RedHat / CentOS firewall configuration, where I
> told it, through the standard RH setup GUI, that I want ssh and
> snmp allowed through.
> 
>   Chain INPUT (policy ACCEPT)
>   target     prot opt source               destination         
>   RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
>   
>   Chain FORWARD (policy ACCEPT)
>   target     prot opt source               destination         
>   RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
>   
>   Chain OUTPUT (policy ACCEPT)
>   target     prot opt source               destination         
>   
>   Chain RH-Firewall-1-INPUT (2 references)
>   target     prot opt source               destination         
>   ACCEPT     all  --  anywhere             anywhere            
>   ACCEPT     icmp --  anywhere             anywhere            icmp any 
>   ACCEPT     ipv6-crypt--  anywhere             anywhere            
>   ACCEPT     ipv6-auth--  anywhere             anywhere            
>   ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
>   ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
>   ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
>   ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:snmp
>   ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh
>   REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited
> 
> The way I read this, though, the first rule in the RH-Firewall-1-INPUT
> chain applies to all packets coming in, which it accepts.  That's all
> protocols from "anywhere" going to "anywhere".
> 
> So shouldn't the packet no longer be evaluated past that rule?
> 
> I know that when I have this enabled, it's stopping packets.  So
I'm
> reading this wrong.  What am I getting wrong?
> 
>    === Al
I found the answer to my own question.  The above output is from a
   # iptables -L

But I looked at the /etc/sysconfig/iptables file and:
   -A FORWARD -j RH-Firewall-1-INPUT
   -A RH-Firewall-1-INPUT -i lo -j ACCEPT
   -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
   -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
   -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
   -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
   -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
   -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j
ACCEPT
   -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
   -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
   COMMIT

The first RH-Firewall-1-INPUT only applies to "-i lo" or the loopback
interface.

Strangely enough, that's not reflected in the 
   # iptables -L
output.
   === Al

Quoting Al Sparks <data345 at yahoo.com>:
> This is a standard RedHat / CentOS firewall configuration, where I
> told it, through the standard RH setup GUI, that I want ssh and
> snmp allowed through.
<snip>
>   ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp
> dpt:snmp
>   ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp
> dpt:ssh
>   REJECT     all  --  anywhere             anywhere            reject-with
> icmp-host-prohibited
I'm not an SNMP person, but IIRC, SNMP usually runs un udp/161 not tcp/161.

Barry