I have iptables running and the most recent rules applied (i.e. I restarted the service and it says everything is "OK").
I have only used system-config-firewall to edit/define any rules, so I shouldn't have a manually created mistake. If I can avoid it, I don't want to edit it manually.
I thought I had it configured so that my Apache ports 80 and 443 would be open, but not the ones Tomcat is listening on (i.e. 8080, 8443). Yet, this is not so... I can browse to them with no problem on any machine.
Ultimately I do want the Tomcat ports accessible, but I don't understand why they already are. I expected I would need to explicitly open them.
Further, before I added the rules to explicitly open them, all of my mail ports were accessible as well (110, 143, 587, 993, 995...) Again, I do want those open but I don't understand why they always were?
Here is my iptables output. Why does everything seem to be open? It is perhaps because there are no OUTPUT rules? Also, why are there seemingly duplicate rules? Does system-config-firewall not control for such duplicates? How can I clean that up? Only through a manual edit I suppose...
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2834 692K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 5 511 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 14 990 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 114 6717 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
12 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
13 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
14 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
15 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
16 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
17 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
18 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
19 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
21 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
6 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3208 packets, 1537K bytes)
num pkts bytes target prot opt in out source destination
See line 3, 4 and 5 in INPUT chain - those rules allows any packets for any ports comming from interfaces eth0, eth1 and lo to pass. IPTables works with first-match-rule, so when packet gets first rule which allows/deny it, it is applied. You should set only rules to exact ports and reject any other traffic.