1. Problem - Found on website, using the following command to add a rule
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9080 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT
The setting didn't work, and the 9080/9443 not accessible.
Because the rules were added after
-A INPUT -j DROP
2. Solution, using the following
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 9080 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT
service iptables save
The rules were added to very beginning of the /etc/sysconfig/iptables. Then it worked.
3. Update the /etc/sysconfig/iptables-config, or the rules lost after issuing service iptables restart to make it take effect.
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="yes"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="yes"
4. Sometimes 80 cannot added to iptables file (try many times)
失败了很多次,80端口总是设置不成功,被覆盖掉。估计是参数不对。
后来用命令: # system-config-firewall 在GUI里配置,会自动修改/etc/sysconfig/iptables文件
或者: # system-config-firewall-tui
参考: http://www.cyberciti.biz/faq/linux-web-server-firewall-tutorial/