IPtables problem

[nix99]

Greetings..

I'm having trouble with iptables after upgrading kernel, one of the rules in /etc/sysconfig/iptables is causing errors when restarting iptables, that is:

--------------------
:INPUT ACCEPT [51:14610]
--------------------

iptables: Applying firewall rules: iptables-restore v1.4.7: Can't set policy `INPUT' on `ACCEPT' line 10: Bad built-in chain name

when I try to ping some domains I get:

ping: sendmsg: Operation not permitted.

and my /etc/sysconfig/iptables is:

----------------------

Code: Select all

# Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
*raw
:PREROUTING ACCEPT [677581:1034642618]
:OUTPUT ACCEPT [395622:31477725]
COMMIT
# Completed on Mon Apr 22 12:03:49 2013
# Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
*nat
:PREROUTING ACCEPT [57:16626]
:INPUT ACCEPT [51:14610]
:OUTPUT ACCEPT [2201:142272]
:POSTROUTING ACCEPT [2201:142272]
COMMIT
# Completed on Mon Apr 22 12:03:49 2013
# Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
*mangle
:PREROUTING ACCEPT [677581:1034642618]
:INPUT ACCEPT [677575:1034640602]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [395622:31477725]
:POSTROUTING ACCEPT [395622:31477725]
COMMIT
# Completed on Mon Apr 22 12:03:49 2013
# Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:180]
:acctboth - [0:0]
:cP-Firewall-1-INPUT - [0:0]
-A INPUT -j cP-Firewall-1-INPUT
-A INPUT -j acctboth
-A FORWARD -j cP-Firewall-1-INPUT
-A OUTPUT -j acctboth
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Apr 22 12:03:49 2013

----------------------

hope someone can help

TIA.

[TrevorH]

That has nothing to do with the kernel upgrade, your rules are not correct so iptables-restore refuses to touch them.

If cP-Firewall-1-INPUT is a chain put there by cPanel then you need to contact them for support of this machine. Their software makes so many changes to and replaces so many CentOS packages with ones they build themselves that the machine is no longer running CentOS, it's running cPanel. Any help that we might provide that would be applicable to a pure CentOS machine might end up breaking your cPanel box more than it is already.

[nix99]

Thanks, will contact cp

[OuldeFauder]

Hi Trevor, did you discern that the re routing, first part of the script, was from C-panel so was the cause of the problem?

[Super Jamie]

Trevor gave his (extremely valid) justification.

The problem is likely that there is no INPUT chain in the nat table.

From man iptables:

TABLES
There are currently three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).

-t, --table table
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropri-
ate module for that table if it is not already there.

nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
(for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

Whatever's building your firewall rules (which is probably some cPanel script or binary, or perhaps an over-eager sysadmin) appears to have a bug.