CentOS/RedHat 4 & iptables

FirebarUK · 25 Apr 2007 at 16:47

This is a wierd one....

I'm creating a clean IPtables configuration on my Centos 4.4 server. I flushed the rules then removed the RH-Firewall-1-INPUT reference chain. So now I just have the 3 defaults, INPUT, OUTPUT and FORWARD.

Looks something like this;

My OUTPUT rule works fine, but none of my input rules do. I've saved and restarted iptables.
Any idea why my INPUT rules arent working? Is it because I deleted that RH-Firewall-INPUT-1 reference chain?

Any help would be appreciated. Perhaps someone who has done something similar will know the answer. I'm running commands like this;

iptables -A INPUT etcetcetc

/etc/init.d/iptables save
/etc/init.d/iptables restart

matja · 25 Apr 2007 at 19:44

Your first rule in the INPUT chain is accepting all traffic, this is getting matched first, and effectively overriding all your other rules in that chain.

FirebarUK · 25 Apr 2007 at 20:14

My mistake, I should have done a -v. That rule is infact for the loopback interfaces.

FirebarUK · 25 Apr 2007 at 21:15

Arg, this is doing my head in. If I use the system-config-securitylevel to open a port number such as 3300 it works. Iptables chains look like so;

Code:

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     ipv6-crypt--  anywhere             anywhere            
ACCEPT     ipv6-auth--  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:3300 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

If I enter my own rule it looks like this;

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     ipv6-crypt--  anywhere             anywhere            
ACCEPT     ipv6-auth--  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3300 state NEW

Why o why is that wrong? I used the command;

Code:

iptables -A RH-Firewall-1-INPUT -p tcp -j ACCEPT --dport 3300 -m state --state NEW

AndrewP · 26 Apr 2007 at 10:23

Looks to me like your open port rule is below the catch-all reject so never gets hit (when you enter it manually). I don't know how you change the order of things from the command line, I usually put all the rules in a shell script and run that on startup or when something changes.

FirebarUK · 26 Apr 2007 at 12:56

Thanks for your input. I managed to fix it late last night. Your partly right, I started from scratch and removed all rules, I then created a couple of custom chains referenced to INPUT and FORWARD and then I make sure the first rule was the ESTABLISHED,RELATED. If that wasn't the case it would block me out.

FirebarUK · 26 Apr 2007 at 13:41

Actually, another question. I was under the impression that a log rule in iptables would log to /var/log/messages by default. Problem is that my logs are instead going to the console screen, rendering the console useless for the period whilst it logs something bad for example. Any ideas?

AndrewP · 26 Apr 2007 at 13:51

--log-level=info in your (e.g. drop/log) chains should log it to /var/log/messages (as per info in /etc/syslog.conf)

.

FirebarUK · 26 Apr 2007 at 14:07

Thats the thing, I've done that but instead its dumping in onto the command line.

edit; thanks that worked if I manually edited /etc/sysconfig/iptables.