<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - --list command can be deceptive in some cases."

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1122">1122</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>--list command can be deceptive in some cases.

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>1.4.x

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>p@trickslav.in

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Hello,

It was a bit tricky to see that the port was actually closed in IPTables, as at

first glance it appears to be open:

[root@Ping init.d]# iptables --list

Chain INPUT (policy ACCEPT)

target     prot opt source               destination        

ACCEPT     all  --  anywhere             anywhere            state

RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere           

(*) ACCEPT     all  --  anywhere             anywhere           

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp

dpt:ssh

REJECT     all  --  anywhere             anywhere            reject-with

icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination        

REJECT     all  --  anywhere             anywhere            reject-with

icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination      

Export with iptables-save

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1341:2337120]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

(*)-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

At (*) it states that the firewall is accepting from everywhere when you run

iptables –list, but you can see that this is not the case when you run

iptables-save! It shows that it is accepting all for the LOOPBACK interface,

practically the opposite of “all”.

Regards,

Patrick Slavin</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>