I did the following commands:

iptables -A INPUT -p tcp -s 1.2.3.4 -d 10.9.8.7 --dport 21 -j ACCEPT
iptables-save
iptables -L
more iptables


I wanted to allow 1.2.3.4 to ftp to my server, then save that rule to iptables so when my server restarts its still there.

when i do iptables -L i see the rule listed, when I do more iptables I don't see it anywhere. Did i miss a step?

When you do 'iptables-save' you must actually 'save' the output to your firewall script.

From the commands you did above, you did:

1) add the new rule
2) iptables-save to the screen (stdout)
3) iptables -L (which shows you the loaded iptables)
4) more iptables (this would show you a file called "iptables" if one exists in your current working directory)


I believe you should have (at step 2) dumped "iptables-save" into your firewall script, like:

shell# iptables-save > iptables

assuming your firewall script is named "iptables".

Sasha

Looks like that worked. when i do the more iptables, I do see it in there now. but it added a -m tcp to the line for some reason.

also, do i have to restart iptables now for it to kick in?

Once you add the line, the rule is implemented immediately. You don't need to restart iptables, as it's already 'kicked in'.

I'm not sure why the "-m tcp" appeared if you did not put it there, but maybe where you used "-p tcp" implies "-m tcp" automatically. Kinda makes sense-- if you want to match to TCP protocol (-p tcp), then -m is sort of implied. You'd need to check the man page or other docs to verify that this is precisely what's happening though.

Sasha

I love when things just kick in! thanks for the help!!

For the record, here's a chunk of the iptables man page:

So the bold part does explain why the -m showed up: it was implied by -p

Cheers!
Sasha

Excellent, thanks Sasha!