iptables - command line gives different results to gui
I'm trying to configure Centos 4.4 iptables so that only ports 25 and 993 are listening. I've been reading all I can on iptables but I'm having unexpected results in applying it, and can only conclude I'm a bit confused, so some guidance seems required!
I ran from the command line
sudo /sbin/iptables -L INPUT
and got this
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
but if I go to Security Level in the System Tools menu then the firewall shows as enabled, and unless I add ports 25 and 993 in the extra box at the bottom (can't view it right now, please forgive that vagueness) then the firewall blocks everything. I ran ps aux to see if it was ipchains running, but I don't see it or iptables. I've added the /etc/sysconfig/iptables below if it's any help. I can see some of the rules I've set with the gui, but I don't fully understand the file (for instance, why can't I see 993 on there?).
So, 2 questions:
a) Shouldn't both the gui and the command line show the same thing, and why aren't they?
b) can anyone suggest either a clearly written resource I can refer to, or point me in the right direction for the right files and commands to configure via the command line.
Thanks for taking the time to look at this, any help/input is much appreciated.
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 220.127.116.11 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited