Which of the following commands should the Linux administrator use to ensure traffic is able to flow through the system firewall to the new service?

A new HTTPS web service is being deployed on a server. Which of the following commands should the Linux administrator use to ensure traffic is able to flow through the system firewall to the new service?
A. iptables -I OUTPUT -p tcp –sport 443 -j ACCEPT
B. iptables -A INPUT -p tcp –dport 443 -j ACCEPT
C. iptables -I INPUT –dport 443 -j ACCEPT
D. iptables -A OUTPUT -p tcp –dport 443 -j ACCEPT

comptia-exams

4 thoughts on “Which of the following commands should the Linux administrator use to ensure traffic is able to flow through the system firewall to the new service?

  1. @Pop: option C is also valid.
    as stated here:
    http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-en-4/s1-iptables-options.html

    -p — Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every supported protocol. In addition, any protocols listed in /etc/protocols may also be used. If this option is omitted when creating a rule, the all option is the default.

    So C works without -p, and because of the -I option iptables will place this rule at the top of the chain.

    The choice is between B and C.
    B rule will sit at the end of the chain, if there is a deny before it it’s useless. Protocol allowed is TCP.
    C rule will sit first in the chain. Protocols allowed are the default ones – icmp, tcp and udp.
    The goal is to ensure the traffic goes through the fw. With B there is some doubt, but with C we are sure the 443 traffic will pass.

    I would go with C.

    1
    3
    1. C didnt work in the command line

      [root@centos7eve ~]# iptables -A INPUT -p tcp –dport 22 -j ACCEPT (this is B)
      [root@centos7eve ~]# iptables -I INPUT –dport 443 -j ACCEPT (This is C)
      iptables v1.4.21: unknown option “–dport”
      Try `iptables -h’ or ‘iptables –help’ for more information.
      [root@centos7eve ~]#

      C is invalid command

    2. Actually random is you read your link it states –dport is an option for only tcp or udp meaning it can used with out.

  2. A – insert ok BUT it’s OUTPUT chain
    B – append ok .. BUT if there is deny before, it will be useless
    C – won’t work without -p
    D – append .. choose A or B better

    Then B .. best choice

    10

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.