|
IPTables, Apache, Connection refused
We have two servers (one running apache, the other mysql ... happens with mysql as well even though title does not reflect that). We moved them across our network, gave them new IPs (static). Now ... when we reboot them, we can't connect to them. We get a connection reset (this happens localhost or remotely). However ... ssh works just fine (80,443 and 22 being allowed on the apache server and 22,3306 allowed on the mysql).
We run ... /etc/init.d/iptables stop OR /etc/init.d/iptables restart ... that resolves and allows connections through The rules appear correct in the iptables config file and show up as we expect them in the system-config-securitylevel GUI. There's nothing apparent in /var/log/messages or elsewhere that we can find. Any ideas as to why this may happen or anyone have any similar experience? Thanks in advance! |
no, not without seeing the rules. if you have information that would be useful, it helps to give us that information. compare "iptables -vnL" in each state the system is in for starters.
|
Thanks ....
OK ... so when it loads, the output is really long. It also is apparent why ssh works from the outset (that's explained in the rules) ... Here is what it looks like at boot without an iptables restart. NOTE: minor obfuscation applied. # iptables -vnL Code:
Chain INPUT (policy ACCEPT 98 packets, 7602 bytes)Of special interest is that the subnet that this machine USED to be on is in this initial output (OLD.IP.SUBNET.0/24 above) THEN .. #/etc/init.d/iptables restart #iptables -vnL Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)... the second is what I would expect to see. New output is simpler as I would expect it to be. Finally, I've noted that the iptables rules seem to reset periodically (will try to catch an output when that happens next, not very predictable so far). So, how would I get a clean rebuild of the iptables rules and get them to stick at reboot? I tried setting IPTABLES_SAVE_ON_RESTART = yes (not sure if syntax is 100% here) in iptables-config after a bounce/fix. That seems to hold them. But it does not hold when I reboot the box altogether (which I need to be careful doing). Thanks again! |
Quote:
Check the iptables init script, and look to see what file it is trying to load as part of the "start" case. In RHEL/CentOS/Fedora it is located in /etc/sysconfig/iptables Once your rules are loaded, and you are happy with them, use iptables-save > /path/to/file/found_in_init_script |
Bah! Meant to post that with iptables output. distro is RHEL5
... will give it a shot. Thanks |
OK ... so when the firewall was in the state I wanted it I ran
#/etc/init.d/iptables save /etc/sysconfig/iptables #reboot <waited ... ssh'd in> #less /etc/sysconfig/iptables It looked like the second output. The shorter/correct version This is a snippet from /etc/init.d/iptables script Code:
....BUT! ... When I ran #iptables -vnL after the above reboot, I got the same behavior and same long output (first set of output in post above). Should I try to change it to a new file using the save command and then alter the path/file used for IPTABLES_DATA to match the new file I save to? |
You say that /etc/sysconfig/iptables (after saving), looked like the "second output", do you mean the output above
Quote:
It shouldnt look like that, /etc/sysconfig/iptables should look something like: Code:
# Generated by iptables-save v1.3.5 on Fri Aug 26 22:30:35 2011Quote:
|
| All times are GMT -5. The time now is 12:00 AM. |