I posted on another Linux site and a user helped me solve my problem by using the /usr/bin/system-config-securitylevel tool to configure my firewall. (Under gnome, run Desktop->System Settings->Security Level. On the Firewall Options tab, check the SSH box in the "Trusted Services" window.)
However, I have another related question. Here is my new iptables after enabling ssh service:
Code:
[root@localhost ~]# iptables -L -v --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo any anywhere anywhere
2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
3 0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
4 0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
5 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
7 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
8 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
9 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
The only difference between this new iptables and the old one is the addition of one new rule in the RH-Firewall-1-INPUT chain:
Code:
8 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
Now, I can understand why this new rule is needed because the rule#1 and rule#7 in the RH-Firewall-1-INPUT chain do not apply, only packets coming into the loopback interface and packets belonging to an existing connection are accepted, respectively.
However, what I don't understand is that I've been browsing and purchasing stuff on the Internet and there are no rules for accepting new incoming HTTP and HTTPS packets !?
As a demonstration, I use the system-config-securitylevel tool to enable HTTP and HTTPS services in the firewall and my new iptables is:
Code:
[root@localhost ~]# iptables -L -v --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo any anywhere anywhere
2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
3 0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
4 0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
5 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
7 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
8 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
9 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
10 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
11 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
As you can see, two new rules, rule#8 and rule#9 were added for HTTPS and HTTP service, respectively.
Now, why were I able to use the HTTP and HTTPS services without rules #8 and #9 while I couldn't use the SSH service without rule #10 ?
Thanks for any help in expanding my limited Linux networking knowledge.