Running CentOS 6.6 on a vmware vm as part of our test environment. I had the following line in my iptables to open port 2008:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2008 -j ACCEPT
and was able to, from another machine, send data to this machine over port 2008.
The constraints then changed, the incoming data needs to still come in through 2008 to simulate an incoming data feed, but needs to be parsed and then sent out to 127.0.0.1:2042 to feed a splunk instance on the same machine all in order to simulate our production environment.
I added the following to iptables:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2042 -j ACCEPT
to open port 2042.
Now I can't connect to 2008. nmap shows 2042 is open, but 2008 is not, though I did nothing to change the 2008 entry in iptables.
What am I missing?
regards, Richard
[RESOLVED] iptables confusion
Re: iptables confusion
And then I realized I probably should have included the entire iptables file, so here it is:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2008 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2042 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
regards, Richard
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2008 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2042 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
regards, Richard
Re: iptables confusion
How many network interfaces does the VM have?
If you only have one interface, everything after this line does nothing:
If you only have one interface, everything after this line does nothing:
rkappler wrote: -A INPUT -i eth0 -j ACCEPT
Re: [RESOLVED] iptables confusion
Just eth0. Turns out the problem wasn't in the iptables at all, but rather a couple of bugs in the script that was supposed to be receiving the data over the socket. All is well now. Thanks for the help!