[plug] iptables questions

Daniel Pittman daniel at rimspace.net
Wed Sep 29 17:01:11 WST 2010

Fred Janon <fjanon at yahoo.com> writes:

> I am trying to understand how iptables work. I have a CentOS install and I
> am trying to enable ping/tracert on that instance. I don't understand if
> every port is open or closed by default on that instance?

The behaviour of iptables when there isn't a rule is called the "policy", and
as you can see from your output...

> $ sudo iptables -L -n
> Chain INPUT (policy ACCEPT)

...the INPUT chain has a policy of ACCEPT.  So, if no rules match the packet
the policy is to accept it.  The rest of the chains are left as an exercise
for the reader.

> What does an empty rule mean?

There is no such thing as "an empty rule".  You *can* talk about an empty
table, in which case it means one of two things:

If it is a root table (eg: INPUT, FORWARD, OUTPUT, and related) then the
default behaviour is as per the policy.

If it is a user-defined table then the behaviour is to return to the calling
table and proceed from the rule following the caller.

> Every port opne or every port clodes?

It might be worth noting that a port being "open" or "closed" is actually
using a bit of network jargon incorrectly.  While I know you mean "is the
firewall letting packets through", it usually refers to "is there a process
listening for packets on that protocol and port?"

"blocked", or "firewalled", would be more typical ways to express what that
question is asking, and that might help with confusion when talking to other
folks about it. :)


> After some research, I did this to try to enable PINGs. The server IP is
> ---------------------------
> $ SERVER_IP=""
> $ sudo iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d


> The tracert or ping still time out.

traceroute uses UDP packets, not ICMP, but whatever the cause of your problem,
it isn't the firewall rules.  :)

I don't know why they are not getting between your client and your server, but
the firewall is allowing them through.  I would suggest you check if your
hosting provider has any firewall in place, and that your ISP and local router
are not blocking the requests.

✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

More information about the plug mailing list