strange iptable rules - at a loss

i was looking over my iptables rules and there are a ton of rules i have no clue what they are, how they got there, and if the should be there....i could use some support fixing them and getting them correct...

Status: 
Active

Comments

here is my saved rules

# Generated by iptables-save v1.4.7 on Wed Apr  9 14:02:18 2014
*mangle
:PREROUTING ACCEPT [16895:15639425]
:INPUT ACCEPT [16894:15639186]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14490:8480285]
:POSTROUTING ACCEPT [14490:8480285]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Apr  9 14:02:18 2014
# Generated by iptables-save v1.4.7 on Wed Apr  9 14:02:18 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:2196]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 10080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Apr  9 14:02:18 2014
# Generated by iptables-save v1.4.7 on Wed Apr  9 14:02:18 2014
*nat
:PREROUTING ACCEPT [357:20441]
:POSTROUTING ACCEPT [521:33244]
:OUTPUT ACCEPT [521:33244]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Apr  9 14:02:18 2014

this system is a VM on a windows 2008 R2 Hyper-v server... i assume that virbr0 is the virtual port for the network, although when i look at the network interfaces i dont see virbr0 i only see eth0

Howdy -- hmm, do you by chance have any non-default or third party software installed that might automatically configure firewall rules?

You don't actually need a firewall, and in most cases one isn't enabled by default. So one solution would be to disable your firewall altogether. Or you could just remove those entries relating to vibr0.

However, if you don't actually have a vibr0 interface, that may mean that there's some non-default software on your server that tried to add a set of rules -- and if that's the case, you may need to disable/remove that software.

Joe's picture
Submitted by Joe on Thu, 07/24/2014 - 13:05 Pro Licensee

Some of those rules look like the default firewall on CentOS/RHEL systems, mostly harmless. Some of them are our allow rules that get added during install. Some look unfamiliar (but there may be new stuff in the default CentOS firewall that I haven't looked at lately).

If it is not interfering with services, it's probably not a problem to leave the rules in place. I usually leave the CentOS firewall alone and just open up the ports I need for my services. But, as Eric said, a firewall is less interesting/useful on a server than on a client machine, as most of your active ports have to be open to actually provide service to the world. They only get useful if you have something like a database or other service that you want to be accessible to other servers you control, but not the world at large, for example.

ok for the life of me i canNOT fid the service that is updating/changing my iptables... maybe you can see something here?

NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off
abrt-ccpp      0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrt-oops      0:off 1:off 2:on 3:on 4:on 5:on 6:off
abrtd          0:off 1:off 2:off 3:on 4:off 5:on 6:off
acpid          0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd            0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd         0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs         0:off 1:off 2:off 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
bluetooth      0:off 1:off 2:off 3:on 4:on 5:on 6:off
certmonger     0:off 1:off 2:off 3:on 4:on 5:on 6:off
cgconfig       0:off 1:off 2:on 3:on 4:on 5:on 6:off
cgred          0:off 1:off 2:off 3:off 4:off 5:off 6:off
clamd          0:off 1:off 2:on 3:on 4:on 5:on 6:off
cpuspeed       0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond          0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups           0:off 1:off 2:on 3:on 4:on 5:on 6:off
dnsmasq        0:off 1:off 2:off 3:off 4:off 5:off 6:off
dovecot        0:off 1:off 2:on 3:on 4:on 5:on 6:off
ebtables       0:off 1:off 2:off 3:off 4:off 5:off 6:off
fail2ban       0:off 1:off 2:on 3:on 4:on 5:on 6:off
firstboot      0:off 1:off 2:off 3:off 4:off 5:off 6:off
haldaemon      0:off 1:off 2:off 3:on 4:on 5:on 6:off
htcacheclean   0:off 1:off 2:off 3:off 4:off 5:off 6:off
httpd          0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables      0:off 1:off 2:on 3:on 4:on 5:on 6:off
ipsec          0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables       0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance     0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsi          0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid         0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdump          0:off 1:off 2:on 3:on 4:on 5:on 6:off
lookup-domain  0:off 1:off 2:on 3:on 4:off 5:on 6:off
lvm2-monitor   0:off 1:on 2:off 3:off 4:off 5:off 6:off
mailman        0:off 1:off 2:on 3:on 4:on 5:on 6:off
mcelogd        0:off 1:off 2:off 3:on 4:off 5:on 6:off
mdmonitor      0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus     0:off 1:off 2:on 3:on 4:on 5:on 6:off
mysqld         0:off 1:off 2:on 3:on 4:on 5:on 6:off
named          0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole     0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs          0:off 1:off 2:off 3:on 4:on 5:on 6:off
network        0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs            0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock        0:off 1:off 2:off 3:on 4:on 5:on 6:off
ntpd           0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpdate        0:off 1:off 2:off 3:off 4:off 5:off 6:off
numad          0:off 1:off 2:off 3:off 4:off 5:off 6:off
oddjobd        0:off 1:off 2:off 3:off 4:off 5:off 6:off
portreserve    0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix        0:off 1:off 2:on 3:on 4:on 5:on 6:off
postgresql     0:off 1:off 2:on 3:on 4:on 5:on 6:off
proftpd        0:off 1:off 2:on 3:on 4:on 5:on 6:off
psacct         0:off 1:off 2:off 3:off 4:off 5:off 6:off
quota_nld      0:off 1:off 2:off 3:off 4:off 5:off 6:off
radvd          0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdisc          0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond    0:off 1:off 2:off 3:off 4:off 5:off 6:off
rngd           0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcbind        0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd        0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcsvcgssd     0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog        0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd      0:off 1:off 2:on 3:on 4:on 5:on 6:off
smartd         0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmpd          0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd      0:off 1:off 2:off 3:off 4:off 5:off 6:off
spamassassin   0:off 1:off 2:on 3:on 4:on 5:on 6:off
spice-vdagentd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
sshd           0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd           0:off 1:off 2:off 3:off 4:off 5:off 6:off
svnserve       0:off 1:off 2:off 3:off 4:off 5:off 6:off
sysstat        0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post      0:off 1:on 2:on 3:on 4:on 5:on 6:off
usermin        0:off 1:off 2:on 3:on 4:off 5:on 6:off
wdaemon        0:off 1:off 2:off 3:off 4:off 5:off 6:off
webmin         0:off 1:off 2:on 3:on 4:off 5:on 6:off
winbind        0:off 1:off 2:off 3:off 4:off 5:off 6:off
wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypbind         0:off 1:off 2:off 3:off 4:off 5:off 6:off

i had thought it was

libvirt
libvirt-guests

but

[root@home]# chkconfig libvirt off
error reading information on service libvirt: No such file or directory

Do you know if you installed any non-default software?

Nothing installed on CentOS by default would do such a thing. I don't see anything in that list which is an obvious culprit.

Some folks install third party tools such as CSF, which can modify firewall rules automatically.

You may want to review your process list, using 'ps auxw', to see if anything there stands out.

here is my list

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  19356  1540 ?        Ss   15:59   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    15:59   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    15:59   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S    15:59   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S    15:59   0:00 [migration/0]
root         6  0.0  0.0      0     0 ?        S    15:59   0:00 [watchdog/0]
root         7  0.0  0.0      0     0 ?        S    15:59   0:00 [events/0]
root         8  0.0  0.0      0     0 ?        S    15:59   0:00 [cgroup]
root         9  0.0  0.0      0     0 ?        S    15:59   0:00 [khelper]
root        10  0.0  0.0      0     0 ?        S    15:59   0:00 [netns]
root        11  0.0  0.0      0     0 ?        S    15:59   0:00 [async/mgr]
root        12  0.0  0.0      0     0 ?        S    15:59   0:00 [pm]
root        13  0.0  0.0      0     0 ?        S    15:59   0:00 [sync_supers]
root        14  0.0  0.0      0     0 ?        S    15:59   0:00 [bdi-default]
root        15  0.0  0.0      0     0 ?        S    15:59   0:00 [kintegrityd/0]
root        16  0.0  0.0      0     0 ?        S    15:59   0:00 [kblockd/0]
root        17  0.0  0.0      0     0 ?        S    15:59   0:00 [kacpid]
root        18  0.0  0.0      0     0 ?        S    15:59   0:00 [kacpi_notify]
root        19  0.0  0.0      0     0 ?        S    15:59   0:00 [kacpi_hotplug]
root        20  0.0  0.0      0     0 ?        S    15:59   0:00 [ata_aux]
root        21  0.0  0.0      0     0 ?        S    15:59   0:00 [ata_sff/0]
root        22  0.0  0.0      0     0 ?        S    15:59   0:00 [ksuspend_usbd]
root        23  0.0  0.0      0     0 ?        S    15:59   0:00 [khubd]
root        24  0.0  0.0      0     0 ?        S    15:59   0:00 [kseriod]
root        25  0.0  0.0      0     0 ?        S    15:59   0:00 [md/0]
root        26  0.0  0.0      0     0 ?        S    15:59   0:00 [md_misc/0]
root        27  0.0  0.0      0     0 ?        S    15:59   0:00 [linkwatch]
root        28  0.0  0.0      0     0 ?        S    15:59   0:00 [khungtaskd]
root        29  0.0  0.0      0     0 ?        S    15:59   0:00 [kswapd0]
root        30  0.0  0.0      0     0 ?        SN   15:59   0:00 [ksmd]
root        31  0.0  0.0      0     0 ?        SN   15:59   0:00 [khugepaged]
root        32  0.0  0.0      0     0 ?        S    15:59   0:00 [aio/0]
root        33  0.0  0.0      0     0 ?        S    15:59   0:00 [crypto/0]
root        38  0.0  0.0      0     0 ?        S    15:59   0:00 [kthrotld/0]
root        40  0.0  0.0      0     0 ?        S    15:59   0:00 [kpsmoused]
root        41  0.0  0.0      0     0 ?        S    15:59   0:00 [usbhid_resumer]
root        72  0.0  0.0      0     0 ?        S    15:59   0:00 [kstriped]
root       144  0.0  0.0      0     0 ?        S    15:59   0:00 [scsi_eh_0]
root       145  0.0  0.0      0     0 ?        S    15:59   0:00 [scsi_eh_1]
root       216  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_con/0]
root       217  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       219  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       220  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       222  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       223  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       224  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       225  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       226  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       227  0.0  0.0      0     0 ?        S    15:59   0:00 [hv_vmbus_ctl/0]
root       238  0.0  0.0      0     0 ?        S    15:59   0:00 [scsi_eh_2]
root       239  0.0  0.0      0     0 ?        S    15:59   0:00 [scsi_eh_3]
root       272  0.0  0.0      0     0 ?        S    15:59   0:00 [kdmflush]
root       274  0.0  0.0      0     0 ?        S    15:59   0:00 [kdmflush]
root       291  0.0  0.0      0     0 ?        S    15:59   0:00 [jbd2/dm-0-8]
root       292  0.0  0.0      0     0 ?        S    15:59   0:00 [ext4-dio-unwrit]
root       383  0.0  0.0  11512  1616 ?        S<s  15:59   0:00 /sbin/udevd -d
root       824  0.0  0.0      0     0 ?        S    15:59   0:00 [kdmflush]
root       870  0.0  0.0      0     0 ?        S    15:59   0:00 [jbd2/sda1-8]
root       871  0.0  0.0      0     0 ?        S    15:59   0:00 [ext4-dio-unwrit]
root       872  0.0  0.0      0     0 ?        S    15:59   0:00 [jbd2/dm-2-8]
root       873  0.0  0.0      0     0 ?        S    15:59   0:00 [ext4-dio-unwrit]
root       950  0.0  0.0      0     0 ?        S    15:59   0:00 [kauditd]
root       985  0.0  0.0      0     0 ?        S    15:59   0:00 [flush-253:0]
root       986  0.0  0.0      0     0 ?        S    15:59   0:00 [flush-253:2]
root      1216  0.0  0.0  27664   856 ?        S<sl 15:59   0:00 auditd
root      1218  0.0  0.0  82084   964 ?        S<sl 15:59   0:00 /sbin/audispd
root      1219  0.0  0.0  21208  1096 ?        S<   15:59   0:00 /usr/sbin/sedispatch
root      1243  0.0  0.0 249092  1676 ?        Sl   15:59   0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
rpc       1290  0.0  0.0  18976   900 ?        Ss   15:59   0:00 rpcbind
dbus      1402  0.0  0.0  32208  1700 ?        Ssl  15:59   0:00 dbus-daemon --system
root      1413  0.0  0.0  82708  4400 ?        Ss   15:59   0:00 NetworkManager --pid-file=/var/run/NetworkManager/NetworkManager.pid
root      1420  0.0  0.0  58064  2436 ?        S    15:59   0:00 /usr/sbin/modem-manager
root      1466  0.0  0.0  44976   696 ?        Ss   15:59   0:00 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -B -u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid
named     1481  0.0  0.2 166276 18876 ?        Ssl  15:59   0:00 /usr/sbin/named -u named
rpcuser   1503  0.0  0.0  23348  1348 ?        Ss   15:59   0:00 rpc.statd
root      1530  0.0  0.0 189348  3332 ?        Ss   15:59   0:00 cupsd -C /etc/cups/cupsd.conf
root      1541  0.0  0.0   4080   640 ?        Ss   15:59   0:00 /usr/sbin/acpid
68        1550  0.0  0.0  38744  3652 ?        Ssl  15:59   0:00 hald
root      1551  0.0  0.0  20328  1172 ?        S    15:59   0:00 hald-runner
root      1594  0.0  0.0  22448  1096 ?        S    15:59   0:00 hald-addon-input: Listening on /dev/input/event2 /dev/input/event0
68        1603  0.0  0.0  17936  1036 ?        S    15:59   0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
root      1617  0.0  0.0 452304  3832 ?        Ssl  15:59   0:00 automount --pid-file /var/run/autofs.pid
root      1638  0.0  0.0   6776   304 ?        Ss   15:59   0:00 /usr/sbin/mcelog --daemon
root      1650  0.0  0.0  66616  1228 ?        Ss   15:59   0:00 /usr/sbin/sshd
ntp       1658  0.0  0.0  30720  2128 ?        Ss   15:59   0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
clam      1666  0.0  3.6 415900 290500 ?       Ssl  15:59   0:04 clamd
root      1702  0.0  0.0 108204  1456 ?        S    15:59   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
mysql     1837  0.0  1.5 1129412 128560 ?      Sl   15:59   0:01 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
postgres  1891  0.0  0.0 216380  5096 ?        S    15:59   0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres  1893  0.0  0.0 179392  1076 ?        Ss   15:59   0:00 postgres: logger process                         
postgres  1895  0.0  0.0 216380  1544 ?        Ss   15:59   0:00 postgres: writer process                         
postgres  1896  0.0  0.0 216380  1276 ?        Ss   15:59   0:00 postgres: wal writer process                     
postgres  1897  0.0  0.0 216796  1688 ?        Ss   15:59   0:00 postgres: autovacuum launcher process            
postgres  1898  0.0  0.0 179660  1396 ?        Ss   15:59   0:00 postgres: stats collector process                
root      1908  0.0  0.0  19268   692 ?        Ss   15:59   0:00 /usr/sbin/dovecot
dovecot   1911  0.0  0.0  12988   948 ?        S    15:59   0:00 dovecot/anvil
root      1912  0.0  0.0  13112  1068 ?        S    15:59   0:00 dovecot/log
root      1920  0.0  0.0  68916  1720 ?        Ss   15:59   0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root      1922  0.0  0.0  68916  1704 ?        S    15:59   0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root      1923  0.0  0.0  68916  1700 ?        S    15:59   0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root      1924  0.0  0.0  68916  1704 ?        S    15:59   0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root      1925  0.0  0.0  68916  1700 ?        S    15:59   0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -r
root      1938  0.0  0.6 242432 51852 ?        Ss   15:59   0:01 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
root      1940  0.0  0.6 242432 49632 ?        S    16:00   0:00 spamd child
root      1941  0.0  0.6 242432 49632 ?        S    16:00   0:00 spamd child
root      2016  0.0  0.0  81296  3408 ?        Ss   16:00   0:00 /usr/libexec/postfix/master
postfix   2023  0.0  0.0  81552  3472 ?        S    16:00   0:00 qmgr -l -t fifo -u
nobody    2027  0.0  0.0 152532  1772 ?        Ss   16:00   0:00 proftpd: (accepting connections)
root      2049  0.0  0.0 110320   908 ?        Ss   16:00   0:00 /usr/sbin/abrtd
root      2057  0.0  0.0 108204   836 ?        Ss   16:00   0:00 abrt-dump-oops -d /var/spool/abrt -rwx /var/log/messages
root      2063  0.0  0.0      0     0 ?        S    16:00   0:00 [hv_vmbus_ctl/0]
root      2069  0.0  0.2 397600 20612 ?        Ss   16:00   0:00 /usr/sbin/httpd
apache    2077  0.0  0.0 261140  6516 ?        S    16:00   0:00 /usr/sbin/httpd
root      2078  0.0  0.0 117332  1452 ?        Ss   16:00   0:01 crond
root      2087  0.0  0.1 427108  9184 ?        Sl   16:00   0:01 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
apache    2117  0.0  0.1 384672 10572 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2118  0.0  0.1 402912 15332 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2119  0.0  0.1 398552 13668 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2120  0.0  0.1 402944 15312 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2121  0.0  0.1 398344 14240 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2122  0.0  0.1 398352 13540 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2123  0.0  0.1 398372 13596 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2124  0.0  0.1 398444 14344 ?        S    16:00   0:00 /usr/sbin/httpd
apache    2125  0.0  0.1 398348 13556 ?        S    16:00   0:00 /usr/sbin/httpd
root      2126  0.0  0.0  21540   480 ?        Ss   16:00   0:00 /usr/sbin/atd
mailman   2136  0.0  0.1 206052  8300 ?        Ss   16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start
mailman   2137  0.0  0.1 208272 11108 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
mailman   2138  0.0  0.1 208344 11160 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
mailman   2139  0.0  0.1 208264 11112 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
mailman   2140  0.0  0.1 208272 11108 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
mailman   2141  0.0  0.1 208256 11192 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
mailman   2142  0.0  0.1 208308 11228 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
mailman   2143  0.0  0.1 208280 11124 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
mailman   2144  0.0  0.1 208352 11112 ?        S    16:00   0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
root      2159  0.0  0.0  62352   608 ?        Ss   16:00   0:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid
root      2174  0.0  0.6 188088 54492 ?        Ss   16:00   0:00 /usr/libexec/webmin/virtual-server/lookup-domain-daemon.pl
root      2237  0.0  0.2  87556 16468 ?        Ss   16:00   0:00 /usr/bin/perl /usr/libexec/usermin/miniserv.pl /etc/usermin/miniserv.conf
root      2426  0.0  0.7 139000 64064 ?        Ss   16:00   0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
root      2429  0.0  0.0 133936  2168 ?        Ssl  16:00   0:00 /usr/sbin/gdm-binary -nodaemon
root      2434  0.0  0.0   4064   532 tty2     Ss+  16:00   0:00 /sbin/mingetty /dev/tty2
root      2436  0.0  0.0   4064   536 tty3     Ss+  16:00   0:00 /sbin/mingetty /dev/tty3
root      2438  0.0  0.0   4064   532 tty4     Ss+  16:00   0:00 /sbin/mingetty /dev/tty4
root      2440  0.0  0.0   4064   536 tty5     Ss+  16:00   0:00 /sbin/mingetty /dev/tty5
root      2442  0.0  0.0   4064   536 tty6     Ss+  16:00   0:00 /sbin/mingetty /dev/tty6
root      2453  0.0  0.0  12568  2860 ?        S<   16:00   0:00 /sbin/udevd -d
root      2454  0.0  0.0  12564  2796 ?        S<   16:00   0:00 /sbin/udevd -d
root      2510  0.0  0.0 164568  3036 ?        Sl   16:00   0:00 /usr/libexec/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1 --force-active-vt
root      2534  0.0  0.2 163024 20676 tty1     Ss+  16:00   0:00 /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-fzOPM4/database -nolisten tcp vt1
root      2681  0.0  0.0 577532  3240 ?        Sl   16:00   0:00 /usr/sbin/console-kit-daemon --no-daemon
gdm       2787  0.0  0.0  20040   632 ?        S    16:00   0:00 /usr/bin/dbus-launch --exit-with-session
gdm       2799  0.0  0.0  31780  1192 ?        Ssl  16:00   0:00 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
gdm       2801  0.0  0.0 269112  7852 ?        Ssl  16:00   0:00 /usr/bin/gnome-session --autostart=/usr/share/gdm/autostart/LoginWindow/
root      2806  0.0  0.0  49832  2624 ?        S    16:00   0:00 /usr/libexec/devkit-power-daemon
gdm       2811  0.0  0.0 133500  5552 ?        S    16:00   0:00 /usr/libexec/gconfd-2
gdm       2851  0.0  0.0 120328  4420 ?        S    16:00   0:00 /usr/libexec/at-spi-registryd
gdm       2875  0.0  0.1 351124 12832 ?        Ssl  16:00   0:00 /usr/libexec/gnome-settings-daemon --gconf-prefix=/apps/gdm/simple-greeter/settings-manager-plugins
gdm       2892  0.0  0.0 303208  2972 ?        Ssl  16:00   0:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output-fd=12
525       2939  0.4  0.9 283936 72876 ?        S    16:00   0:21 /usr/bin/php-cgi
gdm       2954  0.0  0.0 135112  1888 ?        S    16:00   0:00 /usr/libexec/gvfsd
gdm       2989  0.0  0.1 289340  9864 ?        S    16:00   0:00 metacity
gdm       3025  0.0  0.1 273784  8616 ?        S    16:00   0:00 gnome-power-manager
gdm       3035  0.0  0.0 248364  7380 ?        S    16:00   0:00 /usr/libexec/polkit-gnome-authentication-agent-1
gdm       3041  0.0  0.1 384884 15860 ?        S    16:00   0:00 /usr/libexec/gdm-simple-greeter
root      3062  0.0  0.0  52512  4188 ?        S    16:00   0:00 /usr/libexec/polkit-1/polkitd
gdm       3073  0.0  0.0 346200  2852 ?        S<sl 16:00   0:00 /usr/bin/pulseaudio --start --log-target=syslog
rtkit     3075  0.0  0.0 168456  1188 ?        SNl  16:00   0:00 /usr/libexec/rtkit-daemon
root      3177  0.0  0.0 142040  2080 ?        S    16:00   0:00 pam: gdm-password
root      3190  0.0  0.0 100368  4368 ?        Ss   16:00   0:00 sshd: root@notty
root      3195  0.0  0.0  57828  2356 ?        Ss   16:00   0:00 /usr/libexec/openssh/sftp-server
nyccuser  3208  0.0  0.4 241276 34936 ?        S    16:00   0:03 /usr/bin/php-cgi
postfix   3396  0.0  0.0  81376  3320 ?        S    16:01   0:00 pickup -l -t fifo -u
root      4023  0.0  0.0 100368  4356 ?        Ss   16:01   0:00 sshd: root@notty
root      4154  0.0  0.0  57688  2264 ?        Ss   16:01   0:00 /usr/libexec/openssh/sftp-server
533       4359  0.0  0.5 253364 46604 ?        S    16:01   0:00 /usr/bin/php-cgi
533       4425  0.0  0.6 267460 56056 ?        S    16:01   0:00 /usr/bin/php-cgi
apache    4846  0.0  0.1 398460 13576 ?        S    16:01   0:00 /usr/sbin/httpd
525       4847  0.3  0.9 287248 76124 ?        S    16:01   0:17 /usr/bin/php-cgi
rmccfei   5113  0.0  0.5 344348 40872 ?        S    16:02   0:03 /usr/bin/php-cgi
507       5375  0.0  0.1 222628 15468 ?        S    16:03   0:00 /usr/bin/php-cgi
internal  5681  0.0  0.3 237332 30692 ?        S    16:04   0:02 /usr/bin/php-cgi
apache    6710  0.0  0.1 398272 13468 ?        S    16:09   0:00 /usr/sbin/httpd
apache    7050  0.0  0.1 398512 13596 ?        S    16:10   0:00 /usr/sbin/httpd
root      7088  0.0  0.0 100368  4348 ?        Ss   16:11   0:00 sshd: root@pts/0
root      7095  0.0  0.0 108340  1832 pts/0    Ss   16:11   0:00 -bash
apache    7838  0.0  0.1 402880 15328 ?        S    16:13   0:00 /usr/sbin/httpd
nyccuser  8911  0.0  0.3 235856 29348 ?        S    16:16   0:02 /usr/bin/php-cgi
517       9188  0.0  0.5 247768 40860 ?        S    16:18   0:01 /usr/bin/php-cgi
rti_ctrl 11888  0.0  0.1 220448 12292 ?        S    16:34   0:00 /usr/bin/php-cgi
postfix  12416  0.0  0.0  98816  4788 ?        S    16:36   0:00 smtpd -n smtp -t inet -u -o stress= -s 2 -o smtpd_sasl_auth_enable=yes
postfix  12418  0.0  0.0  81368  3368 ?        S    16:36   0:00 anvil -l -t unix -u
apache   13352  0.0  0.1 398220 13396 ?        S    16:44   0:00 /usr/sbin/httpd
apache   13357  0.0  0.1 398196 13364 ?        S    16:44   0:00 /usr/sbin/httpd
apache   13358  0.0  0.1 398336 13484 ?        S    16:44   0:00 /usr/sbin/httpd
postfix  14467  0.0  0.0  98816  4784 ?        S    16:49   0:00 smtpd -n smtp -t inet -u -o stress= -s 2 -o smtpd_sasl_auth_enable=yes
513      14928  0.2  0.3 333712 30836 ?        S    16:51   0:04 /usr/bin/php-cgi
dovecot  15122  0.0  0.0  76636  2748 ?        S    16:52   0:00 dovecot/auth
root     15123  0.0  0.0  76636  2864 ?        S    16:52   0:00 dovecot/auth -w
root     19420  0.0  0.0      0     0 ?        S    17:14   0:00 [flush-8:0]
root     19645 19.5  1.7 423276 142296 ?       Sl   17:16   0:03 /usr/bin/python -Es /usr/sbin/setroubleshootd -f
root     20115  0.0  0.0 110240  1136 pts/0    R+   17:16   0:00 ps auxw

coud it be one of these?

Installed Packages
kmod-microsoft-hyper-v.x86_64 rhel63.3.4-1.20120727 installed
xorg-x11-drv-hyperpen.x86_64  1.4.1-4.el6           @anaconda-CentOS-201311272149.x86_64/6.5
Available Packages
hypervkvpd.x86_64             0-0.12.el6            base
[root@centos6 ~]#

Ah, it looks like you're running a desktop version of CentOS, and there's a number of processes running that I'm not familiar with.

However, of what I see, my best guess is that it may be related to Fail2ban.

Could you try disabling that, and see if the rules stop being modified?

nope def NOT Fail2Ban turned it off, update iptables to default, few seconds later they were all back....

i think it has something to do with kmod-microsoft-hyper-v.x86_64

this is a VM running on server 2012

I haven't used Microsoft Hyper-V previously, and hadn't attempted running any VM's within it. However, Googling that particular package name, it appears that all it does is provide a set of kernel modules that enables Linux to run as a Hyper-V VPS guest.

Typically, kernel modules don't add firewall rules, though I suppose that it's technically possible.

I suspect that the culprit is elsewhere though, as there wouldn't be a simple way to configure those kernel modules with what firewall parameters to use.