Linux noob here. RHEL v6.7. Iptables default configuration. Not secure, right?

rafaelbn asked:

Thanks for having me!

So… I did a fresh install of RHEL v6.7. I was setting up just NTP service and followed some tutorial on the interwebs. At some point is this tutorial it suggested that I should open port udp 123 so the server could receive NTP querys from other clients.

After that fresh install no configuration was done whatsoever.

When I checked the iptables service this is what I got.

[root@SVNTPRJO01 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I’m not a linux guy but reading man pages and some blog posts I understand that because of rule number 3 on the INPUT chain this server would accept anything from anywhere, including udp 123, right?

Is my understanding correct?

This server only has one nic (eth0).

My answer:


The firewall is fine.

You need to add -v to see the full output.

Then you will see that the rule you think is allowing access from anywhere, actually allows access only on the lo interface, that is, anywhere on localhost.

You can open ports in the firewall configuration by running the system-config-firewall-tui command in a terminal, or system-config-firewall on a graphical system.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.