iptables active (exited)

General support questions
hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: iptables active (exited)

Post by hunter86_bg » 2018/10/17 18:51:51

Some more info is needed, so it will be nice if you run the following:

Code: Select all

systemctl cat iptables.service
iptables -L -n
journalctl -u iptables.service
netstat -tulpena | grep <replace_with_your_port>
semanage port -l | grep  <replace_with_your_port> 

webnoob
Posts: 37
Joined: 2017/02/01 11:26:27

Re: iptables active (exited)

Post by webnoob » 2018/10/17 21:26:40

More info as requested.

--- systemctl cat iptables.service ---
# /usr/lib/systemd/system/iptables.service
[Unit]
Description=IPv4 firewall with iptables
Before=ip6tables.service
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/iptables/iptables.init start
ExecReload=/usr/libexec/iptables/iptables.init reload
ExecStop=/usr/libexec/iptables/iptables.init stop
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=basic.target

--- iptables -L -n ---
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:MY_PORT flags:0x17/0x02

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

--- journalctl -u iptables.service ---
-- Logs begin at Wed 2018-10-17 17:12:30 EDT, end at Wed 2018-10-17 17:20:01 EDT. --
Oct 17 17:12:33 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Oct 17 17:12:33 localhost.localdomain iptables.init[700]: /usr/libexec/iptables/iptables.init: line 22: /etc/init.d/functions: No such file or directory
Oct 17 17:12:33 localhost.localdomain iptables.init[700]: iptables: Applying firewall rules: /usr/libexec/iptables/iptables.init: line 240: success: command not found
Oct 17 17:12:33 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.

--- netstat -tulpena | grep MY_PORT ---
tcp6 0 0 SERVER_IP:MY_PORT :::* LISTEN 1001 28252 1621/java

--- semanage port -l | grep MY_PORT ---
Command returns nothing



Is my rule wrong? Scanning with nmap does not show my port.

Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-17 17:39 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000015s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: iptables active (exited)

Post by tunk » 2018/10/17 21:54:12

https://nmap.org/book/man-port-specification.html: "By default, Nmap scans the most common 1,000 ports for each protocol."

You may have to specify the port:
nmap -p MY_PORT localhost

webnoob
Posts: 37
Joined: 2017/02/01 11:26:27

Re: iptables active (exited)

Post by webnoob » 2018/10/17 22:02:34

OMG!!! Problem is solved. I have missed a reject line right above my rule, removing the rule and adding it above the reject makes the port available.
Now the next problem is that everytime I restart iptables service the rule drops back down under the reject rule. I have tried with service iptables save and it just return bach: service: command not found

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: iptables active (exited)

Post by tunk » 2018/10/17 22:10:59

I don't know if it's recommended practice, but I normally edit /etc/sysconfig/iptables directly.
EDIT: After editing you have to restart: systemctl restart iptables

webnoob
Posts: 37
Joined: 2017/02/01 11:26:27

Re: iptables active (exited)

Post by webnoob » 2018/10/18 11:55:49

I would rather not edit any config files directly. I have googled and found many site that say I have to write "service iptables save" but I still get the same error bash: service: command not found…

Can someone tell me exactly how to create a iptables rule and save it?

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: iptables active (exited)

Post by tunk » 2018/10/18 12:01:35

I think it goes like this: service is used with initd, CentOS 7 uses systemd and the corresponding command is systemctl.
I don't know if this works (or even breaks your system): systemctl save iptables

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables active (exited)

Post by TrevorH » 2018/10/18 15:29:00

No, service is still used on CentOS 7 for certain things that systemctl doesn't handle. The ones I know about are

service iptables save
service ipset save
service auditd rotate|restart

Possibly you've mucked your PATH up - it's /sbin/service, try that.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

webnoob
Posts: 37
Joined: 2017/02/01 11:26:27

Re: iptables active (exited)

Post by webnoob » 2018/10/18 17:16:36

TrevorH wrote:
2018/10/18 15:29:00
No, service is still used on CentOS 7 for certain things that systemctl doesn't handle. The ones I know about are

service iptables save
service ipset save
service auditd rotate|restart

Possibly you've mucked your PATH up - it's /sbin/service, try that.
When explain to me why I get the error "bash: service: command not found…"

chemal
Posts: 776
Joined: 2013/12/08 19:44:49

Re: iptables active (exited)

Post by chemal » 2018/10/18 18:41:53

Oct 17 17:12:33 localhost.localdomain iptables.init[700]: /usr/libexec/iptables/iptables.init: line 22: /etc/init.d/functions: No such file or directory

Code: Select all

> rpm -qf /etc/init.d/functions
initscripts-9.49.41-1.el7_5.2.x86_64

Post Reply