Basic Iptables issue
Posted by Firebar on 2007/4/25 14:46:59
Hi all,
I'm creating a clean IPtables configuration on my Centos 4.4 server. I flushed the rules then removed the RH-Firewall-X INPUT reference chain. So now I just have the 3 defaults, INPUT, OUTPUT and FORWARD.
Looks something like this;
My OUTPUT rule works fine, but none of my input rules do. I've saved and restart iptables.
Any idea why my INPUT rules arent working? Is it because I deleted that RH-Firewall-INPUT-1 reference chain?
Any help would be appreciated.
I'm creating a clean IPtables configuration on my Centos 4.4 server. I flushed the rules then removed the RH-Firewall-X INPUT reference chain. So now I just have the 3 defaults, INPUT, OUTPUT and FORWARD.
Looks something like this;
My OUTPUT rule works fine, but none of my input rules do. I've saved and restart iptables.
Any idea why my INPUT rules arent working? Is it because I deleted that RH-Firewall-INPUT-1 reference chain?
Any help would be appreciated.
Re: Basic Iptables issue
Posted by WhatsHisName on 2007/4/25 15:49:05
It’s hard to tell from your description what the problem is.
It may be that you do not understand how the /etc/init.d/iptables init script functions vs. how the /sbin/iptables, /sbin/iptables-save and /sbin/iptables-restore utilities function.
If you don’t want to use the standard /etc/sysconfig/iptables configuration, but do want the iptables init script to load the rules on startup, then why don’t you start over like this:
Your rules will be saved in /etc/sysconfig/iptables and will be loaded on boot.
Please note that “/etc/init.d/iptables save” and “/sbin/iptables-save” do not accomplish the same thing.
It may be that you do not understand how the /etc/init.d/iptables init script functions vs. how the /sbin/iptables, /sbin/iptables-save and /sbin/iptables-restore utilities function.
If you don’t want to use the standard /etc/sysconfig/iptables configuration, but do want the iptables init script to load the rules on startup, then why don’t you start over like this:
# # WARNING: This is a nonstandard setup. Newbies reading this thread should stick with the standard configuration.
#
# /sbin/iptables -F
# /sbin/iptables -A FORWARD -j DROP
# /sbin/iptables -A OUTPUT -j ACCEPT
# /sbin/iptables -A INPUT -i lo -j ACCEPT
# /sbin/iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
# /sbin/iptables -A INPUT -p 50 -j ACCEPT
# /sbin/iptables -A INPUT -p 51 -j ACCEPT
# /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# # Followed by whatever custom rules you want
#
# /sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
#
# /etc/init.d/iptables save
Your rules will be saved in /etc/sysconfig/iptables and will be loaded on boot.
Please note that “/etc/init.d/iptables save” and “/sbin/iptables-save” do not accomplish the same thing.
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 15:57:11
Thanks for the reply.
I'm using the /etc/init.d/service iptables save/restart method.
Its very wierd to see everything working except the INPUT rules, which is what im confused about. Once I can at least get that part of the filtering working then I can build an iptables script.
I'm using the /etc/init.d/service iptables save/restart method.
Its very wierd to see everything working except the INPUT rules, which is what im confused about. Once I can at least get that part of the filtering working then I can build an iptables script.
Re: Basic Iptables issue
Posted by WhatsHisName on 2007/4/25 16:17:54
Why do you want to build a custom init script when one is already provided?
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 16:22:32
Well, what I mean is that once all my rules that I want are in place using /sbin/iptables then I can do a save and leave it at that. Currently I'd just like INPUT filtering to work, seeing as it doesnt.
On an off note, I ran system-config-securitylevel and disabled/enabled the firewall. It then wrote its own iptables.config including the RH-Firewall-1-INPUT chain (which has 2 references?) and things work again.
edit - ok the RH-Firewall-1-INPUT is a reference to the FORWARD AND INPUT policy. Why would that be? Surely that then means that everything in that chain is also set to forwarded. I don't use this function, but still..
Thanks.
On an off note, I ran system-config-securitylevel and disabled/enabled the firewall. It then wrote its own iptables.config including the RH-Firewall-1-INPUT chain (which has 2 references?) and things work again.
edit - ok the RH-Firewall-1-INPUT is a reference to the FORWARD AND INPUT policy. Why would that be? Surely that then means that everything in that chain is also set to forwarded. I don't use this function, but still..
Thanks.
Re: Basic Iptables issue
Posted by WhatsHisName on 2007/4/25 16:31:13
The easiest way to understand how RH-Firewall-1-INPUT is used is to open /etc/init.d/iptables and read the script. It is not equivalent to /sbin/iptables INPUT.
The RH-Firewall-1-INPUT reference in /etc/sysconfig/iptables can be changed to anything that has no system meaning (e.g., :%s/RH-Firewall-1-INPUT/MyRules/gc). I always shorten it to make /etc/sysconfig/iptables more readable.
The RH-Firewall-1-INPUT reference in /etc/sysconfig/iptables can be changed to anything that has no system meaning (e.g., :%s/RH-Firewall-1-INPUT/MyRules/gc). I always shorten it to make /etc/sysconfig/iptables more readable.
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 16:44:33
RH-Firewall-1-INPUT isnt even listed in the /etc/init.d/iptables script.
I dont understand why it uses this extra chain? Why not just keep the default INPUT, OUTPUT and FORWARD? It seem as though this is stopping my default chains from working correctly, at least the INPUT one.
I dont understand why it uses this extra chain? Why not just keep the default INPUT, OUTPUT and FORWARD? It seem as though this is stopping my default chains from working correctly, at least the INPUT one.
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 16:48:03
Below are my chains after flushing, and after inserting a couple of rules;
If I chance the default policy of the INPUT chain to DROP then nothing works, I would have thought my 2 rules in RH-Firewall-1-INPUT chain may have worked but as you can see the referencing has gone.
what I dont understand is why I cannot simply remove the RH-Firewall-1-INPUT chain and use the default 3 chains.
If I chance the default policy of the INPUT chain to DROP then nothing works, I would have thought my 2 rules in RH-Firewall-1-INPUT chain may have worked but as you can see the referencing has gone.
what I dont understand is why I cannot simply remove the RH-Firewall-1-INPUT chain and use the default 3 chains.
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 16:53:29
Now if I make my chains look like this;
Then I would have presumed that http port 80 would be open, this isnt the case though. I can't access it.
Then I would have presumed that http port 80 would be open, this isnt the case though. I can't access it.
Re: Basic Iptables issue
Posted by michaelnel on 2007/4/25 16:55:58
Looks to me like you don't have iptables chkconfigged on.
# chkconfig iptables on
# service iptables start
# chkconfig iptables on
# service iptables start
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 16:57:06
iptables is definately running & chkconfigged too.
Re: Basic Iptables issue
Posted by WhatsHisName on 2007/4/25 16:58:58
Quote:
You are correct, RH-Firewall-1-INPUT is read by the script from the last statement above and used as a reference label. The label in and of itself has no meaning and can be changed to whatever you want it to be.
I take it that you are more familiar with how iptables is managed in non-Redhat-based distros, such as Debian-based distros. Debian, for example, has no equivalent of /etc/init.d/iptables, unless you write the script yourself.
RH-Firewall-1-INPUT isnt even listed in the /etc/init.d/iptables script.
# cat /etc/sysconfig/iptables
#
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
...
You are correct, RH-Firewall-1-INPUT is read by the script from the last statement above and used as a reference label. The label in and of itself has no meaning and can be changed to whatever you want it to be.
I take it that you are more familiar with how iptables is managed in non-Redhat-based distros, such as Debian-based distros. Debian, for example, has no equivalent of /etc/init.d/iptables, unless you write the script yourself.
Re: Basic Iptables issue
Posted by WhatsHisName on 2007/4/25 17:05:58
As a reference, this is the “standard” http line in /etc/sysconfig/iptables:
And a fairly standard /etc/sysconfig/iptables would look like:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
And a fairly standard /etc/sysconfig/iptables would look like:
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MyRules - [0:0]
-A INPUT -j MyRules
-A FORWARD -j MyRules
-A MyRules -i lo -j ACCEPT
-A MyRules -p icmp --icmp-type any -j ACCEPT
-A MyRules -p 50 -j ACCEPT
-A MyRules -p 51 -j ACCEPT
-A MyRules -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A MyRules -p udp -m udp --dport 631 -j ACCEPT
-A MyRules -m state --state ESTABLISHED,RELATED -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A MyRules -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A MyRules -j REJECT --reject-with icmp-host-prohibited
COMMIT
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 17:06:11
I'm new to iptables full stop, but the manpages are quite self explanatory and make it sound so easy! I just cant understand why my filtering isnt working once I drop to DROP policy-mode and then manually specify a rule to ACCEPT a connection.
Perhaps due to me being quite new to this I'm missing something, but from my point of view this seems relatively simply yet it just doesnt work
Perhaps due to me being quite new to this I'm missing something, but from my point of view this seems relatively simply yet it just doesnt work
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 20:29:04
Well this is ridiculous, if I use system-config-securitylevel to open up a port, e.g; port 1234 its fine and it does actually open the port. If I manually make an iptable rule, it doesnt work - DESPITE BEING IDENTICAL!!
ARGGGHH
ARGGGHH
Re: Basic Iptables issue
Posted by michaelnel on 2007/4/25 21:53:04
I never use the utility, (except during initial install). I always just edit /etc/sysconfig/iptables and then "service iptables restart", and it always works.
So, I don't know what you are doing wrong, but the basic procedure of editing and restarting does work, if it's done correctly.
So, I don't know what you are doing wrong, but the basic procedure of editing and restarting does work, if it's done correctly.
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 22:07:17
Editing the config file works! I just hadnt tried it as by running the /sbin/iptables commands and doing /etc/init.d/iptables save it was writing to that file - so I assumed it would be ok.
Thank you very much, I'll see how the rest of it goes from now on. Why the hell doesn't using the commandline work? annoying
Thank you very much, I'll see how the rest of it goes from now on. Why the hell doesn't using the commandline work? annoying
Re: Basic Iptables issue
Posted by michaelnel on 2007/4/25 22:11:30
Using the commandline DOES work. I don't usually do it that way, but I have, and it does work. You have to do it correctly though. I just find it easier to edit /etc/sysconfig/iptables and restart though.
Re: Basic Iptables issue
Posted by Firebar on 2007/4/25 22:15:53
How would you define correctly? I've passed in the EXACT options for identical rules which are known to work but to no avail.
edit - What I mean to say is; what command would you use to add in a ruleset to open port 1234 then save and restart iptables - and have it work.
edit - What I mean to say is; what command would you use to add in a ruleset to open port 1234 then save and restart iptables - and have it work.
Re: Basic Iptables issue
Posted by michaelnel on 2007/4/25 22:25:10
I wouldn't do it from the command line.
It's been so long since I did it that way I no longer remember the right way, and I am not interested in researching it.
But I assure you, if you learn the right way (I suggest the Novell Press book "Linux Firewalls Third Edition"), then it absolutely DOES work.
After all, the /etc/init.d/iptables script basically does it from the command line... it's just a script.
It's been so long since I did it that way I no longer remember the right way, and I am not interested in researching it.
But I assure you, if you learn the right way (I suggest the Novell Press book "Linux Firewalls Third Edition"), then it absolutely DOES work.
After all, the /etc/init.d/iptables script basically does it from the command line... it's just a script.
This Post was from: https://www.centos.org/newbb/viewtopic.php?forum=32&topic_id=8099