LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 12-18-2004, 02:18 AM   #1
ciscohead
Member
 
Registered: Mar 2003
Distribution: redhad 7.3
Posts: 42

Rep: Reputation: 15
how to unDROP ex-bogons in iptables


When I do iptables -L I see a lot of stuff. I was trying to find out where that stuff
comes from so I could delete a line in the config with no luck. This is a RH. I looked in /etc/rc.d/init.d
there is a script called iptables. It has a var in it which seems to be telling where there is an iptables config script. also some data. So I go where that points to, and sure enough there is the config script. but it is bogus, everything in it is commented out. and there is no data file where it says there should be one. So I'm not even sure this script is being called? HOW DO THESE THINGS GET INITIALIZED!!!


Next question....
in the INPUT chain I have a line that looks like this...
DROP all -- 72.0.0.0/8 anywhere
I think I no longer want that line there because that ip address range has become valid.
(or so I'm told)

I'm told you can do iptables -D
like iptables -D INPUT --dport 80 -j DROP
but mine lines don't look like that. I can't screw with this. it has to work and anyway I think that would be a temporary change. I want this change to stick... If I could just find where it is coming from...
 
Old 12-18-2004, 11:21 AM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
init script of iptables saves the config file as /etc/sysconfig/iptables
u can edit that file directly and remove that line, after that restart iptables.

another way, u can delete that rule with number of rule.
do "iptables -nvL" look that rule where it is. then
iptables -D $chain $rule_number
after that dont forget to save iptables.

good luck.
 
Old 12-18-2004, 11:22 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The actual default iptables script for Redhat/Fedora is in /etc/sysconfig/iptables. However don't directly edit the file itself, find the line that's blocking the 72.0.0.0/8 network and use the iptables -D option, then do: service iptable save. If you have problems, post the iptables script (remove your IP if it's there).
 
Old 12-18-2004, 11:45 AM   #4
ciscohead
Member
 
Registered: Mar 2003
Distribution: redhad 7.3
Posts: 42

Original Poster
Rep: Reputation: 15
no /etc/sysconfig/iptables

But that's the problem guys

there IS NO file called /etc/sysconfig/iptables
so I don't KNOW where the/ stuff is coming from
so if I did do a -D then
where/how would I save it so it can find it later.

furthermore I chkconfig and ipchains is turned ON at runlevels 2,3,4,5
iptables is turned on at runlevel 2.
However it tells me ipchains is incompatible with this kernel.
It makes no sense to me it's set like that.

I've also checked for some other script like rc.firewall and
any thing in rc.local and come up empty.

This server is a colo. Could it be the service provider is somehow feeding it in on boot?
 
Old 12-18-2004, 03:23 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Usually runlevel 2 isn't used under normal operation, so it looks like you're running ipchains (look for the /etc/sysconfig/ipchains file). Use the runlevel command to determine what runlevel you are in. Probably the best way to determine what firewall is actually running is to use service iptables status and service ipchains status. The iptables -L command will help confim this (if it gives you an error message, then iptables is off).

If you are running ipchains, I would really recommend switching to iptables. Though if you're using ipchains, you can still use the ipchains -D option to delete a rule, though remember that the chain names are lower case in ipchains.
 
Old 12-18-2004, 04:52 PM   #6
ciscohead
Member
 
Registered: Mar 2003
Distribution: redhad 7.3
Posts: 42

Original Poster
Rep: Reputation: 15
not running ipchains

I am not running ipchains, that's why it seems odd that it is chkconfig

Quote:
ipchains is incompatible with this kernel.
iptables -L gives out reams of rules.

I know I can delete a rule. My WHOLE problem is where ARE THE RULES STORED
so that I can save it there after I delete it.
 
Old 12-18-2004, 05:50 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Check /etc/rc.d/init.d/iptables and see where the iptables variables point. Also check /etc/rc.d/rc.local for any overriding script. If it's some kind of non-standard configuration, then you'll need to do some detective work and look in the /etc/rc.d subdirectories. Part of why I'm asking you what runlevel you are in is because the runlevel determines what rcX.d folder is run by init. Since you have iptables on only at runlevel 2, I'd say /etc/rc.d/rc2.d/. You should find an iptables file in that subfolder. This is where the system init determines where to gather the iptables rules. Normally though all the rc iptables files and /etc/init.d/iptables files should just be links to /etc/rc.d/init.d/iptables. Also, please stop typing in caps.
 
Old 12-18-2004, 08:07 PM   #8
ciscohead
Member
 
Registered: Mar 2003
Distribution: redhad 7.3
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Check /etc/rc.d/init.d/iptables and see where the iptables variables point.
I have already done a lot of this poking around and reported it. see post #1 To recap:
copied from the iptables script:

IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES


As per post #1 there is no /etc/sysconfig/iptables
and /etc/sysconfig/iptables-config is just a dummy with comments, no real content.

Quote:
Also check /etc/rc.d/rc.local for any overriding script.
Been there and done that too. as per post #4.

rc.local just fires up a thing called bandmin rc.sysinit does a lot of things but nothing
that I can see with the firewall.

Quote:
If it's some kind of non-standard configuration, then you'll need to do some detective work and look in the /etc/rc.d subdirectories.
Been to all of 'em. They jive with what chkconfig tells me. but it doesn't tell me where the rules live.

Quote:
Part of why I'm asking you what runlevel you are in is because the runlevel determines what rcX.d folder is run by init. Since you have iptables on only at runlevel 2, I'd say /etc/rc.d/rc2.d/. You should find an iptables file in that subfolder. This is where the system init determines where to gather the iptables rules. Normally though all the rc iptables files and /etc/init.d/iptables files should just be links to /etc/rc.d/init.d/iptables. Also, please stop typing in caps.
As you wish. And as you expect this rc2.d file is a symlink to /etc/rc.d/init.d/iptables.

root@xxxxxxx [/etc/rc.d/rc2.d]# ls -al S08iptables
lrwxrwxrwx 1 root root 18 Nov 19 2002 S08iptables -> ../init.d/iptables*
root@xxxxxxx [/etc/rc.d/rc2.d]#

all the others are K92iptables and they point to the same place.

sorry for typing in caps but when I say I tried X and then someone suggests me to try X it makes me think
maybe I didn't say it loud enough the first time. I appreciate your help. I'm pretty sure the colo is doing this to us.
 
Old 12-20-2004, 01:30 PM   #9
ciscohead
Member
 
Registered: Mar 2003
Distribution: redhad 7.3
Posts: 42

Original Poster
Rep: Reputation: 15
solved it.

turns out we use a wrapper script for iptables with an obscure name hiding in
a little corner of the etc which has the rules in it.

supergrep found it.

I just commented out the rule I didn't want any more, waited 10 minutes, the firewall woke up
re-read its config, regenerated iptables, and poof. problem solved.

thanks all....
 
  


Reply

Tags
firewall, script


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to prevent Bogons ? basbosco Linux - Security 5 03-01-2004 11:35 PM
How to prevent the bogons? basbosco Linux - Security 1 03-01-2004 03:22 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 12:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration