A new HTTPS web service is being deployed on a server. Which of the following commands should the Linux administrator use to ensure traffic is able to flow through the system firewall to the new service?
A. iptables -I OUTPUT -p tcp –sport 443 -j ACCEPT
B. iptables -A INPUT -p tcp –dport 443 -j ACCEPT
C. iptables -I INPUT –dport 443 -j ACCEPT
D. iptables -A OUTPUT -p tcp –dport 443 -j ACCEPT
@Pop: option C is also valid.
as stated here:
http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-en-4/s1-iptables-options.html
-p — Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every supported protocol. In addition, any protocols listed in /etc/protocols may also be used. If this option is omitted when creating a rule, the all option is the default.
So C works without -p, and because of the -I option iptables will place this rule at the top of the chain.
The choice is between B and C.
B rule will sit at the end of the chain, if there is a deny before it it’s useless. Protocol allowed is TCP.
C rule will sit first in the chain. Protocols allowed are the default ones – icmp, tcp and udp.
The goal is to ensure the traffic goes through the fw. With B there is some doubt, but with C we are sure the 443 traffic will pass.
I would go with C.
C didnt work in the command line
[root@centos7eve ~]# iptables -A INPUT -p tcp –dport 22 -j ACCEPT (this is B)
[root@centos7eve ~]# iptables -I INPUT –dport 443 -j ACCEPT (This is C)
iptables v1.4.21: unknown option “–dport”
Try `iptables -h’ or ‘iptables –help’ for more information.
[root@centos7eve ~]#
C is invalid command
Actually random is you read your link it states –dport is an option for only tcp or udp meaning it can used with out.
A – insert ok BUT it’s OUTPUT chain
B – append ok .. BUT if there is deny before, it will be useless
C – won’t work without -p
D – append .. choose A or B better
Then B .. best choice