iptables pitfall

~ Leo Petrazickis

An important thing to remember about rulesets in /etc/sysconfig/iptables is that they are chains. The first rule is applied, followed by the second, and so on. It’s the opposite of CSS that way. More specific rules should go first, while all-encompassing rules should go last.

I was trying to open the usual DB2 ports on RHEL. For some reason, nothing was working.

It turned out that this line was at fault:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

This rejects all incoming traffic not otherwise allowed. The line has to go last in the file, after all the open port definitions.

Published by Leo Petrazickis

I’m a Principal Engineer at Upgrade. I do Go, Observability, and many other fun things.

One thought on “iptables pitfall

  1. Pingback: PHP-help » Log Buffer #182, a Carnival of the Vanities for DBAs

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.