LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-12-2011, 01:01 PM   #1
jwlnx
LQ Newbie
 
Registered: Oct 2011
Posts: 4

Rep: Reputation: Disabled
IPTables, Apache, Connection refused


We have two servers (one running apache, the other mysql ... happens with mysql as well even though title does not reflect that). We moved them across our network, gave them new IPs (static). Now ... when we reboot them, we can't connect to them. We get a connection reset (this happens localhost or remotely). However ... ssh works just fine (80,443 and 22 being allowed on the apache server and 22,3306 allowed on the mysql).

We run ...
/etc/init.d/iptables stop
OR
/etc/init.d/iptables restart

... that resolves and allows connections through

The rules appear correct in the iptables config file and show up as we expect them in the system-config-securitylevel GUI.

There's nothing apparent in /var/log/messages or elsewhere that we can find.

Any ideas as to why this may happen or anyone have any similar experience?

Thanks in advance!

Last edited by jwlnx; 10-12-2011 at 01:03 PM.
 
Old 10-12-2011, 02:26 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
no, not without seeing the rules. if you have information that would be useful, it helps to give us that information. compare "iptables -vnL" in each state the system is in for starters.
 
Old 10-13-2011, 07:18 AM   #3
jwlnx
LQ Newbie
 
Registered: Oct 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks ....

OK ... so when it loads, the output is really long. It also is apparent why ssh works from the outset (that's explained in the rules) ...

Here is what it looks like at boot without an iptables restart. NOTE: minor obfuscation applied.

# iptables -vnL
Code:
Chain INPUT (policy ACCEPT 98 packets, 7602 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1333 2266K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/8            0.0.0.0/0           
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0           
    0     0 DROP       all  --  *      *       192.0.0.0/24         0.0.0.0/0           
    0     0 DROP       all  --  *      *       192.0.2.0/24         0.0.0.0/0           
    0     0 DROP       all  --  *      *       198.18.0.0/15        0.0.0.0/0           
    0     0 DROP       all  --  *      *       198.51.100.0/24      0.0.0.0/0           
    0     0 DROP       all  --  *      *       203.0.113.0/24       0.0.0.0/0           
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       all  --  *      *       240.0.0.0/4          0.0.0.0/0           
  637 52397 TMP_DROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  637 52397 TALLOW     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  637 52397 TDENY      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  637 52397 TGALLOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  637 52397 TGDENY     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:135:139 
  108  8424 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:135:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:513 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:513 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1433 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1433 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1434 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1434 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1234 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1234 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1524 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1524 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3127 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:3127 
  483 40427 IN_SANITY  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  482 40349 FRAG_UDP   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  480 40193 PZERO      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  459 38555 P2P        all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  142 17148 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 limit: avg 30/sec burst 5 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5 limit: avg 30/sec burst 5 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 limit: avg 30/sec burst 5 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0 limit: avg 30/sec burst 5 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 30 limit: avg 30/sec burst 5 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 30/sec burst 5 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 
  133  5328 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  134 12975 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       D.N.S.IP		        0.0.0.0/0           udp spt:53 dpts:1023:65535 
    0     0 ACCEPT     tcp  --  *      *       D.N.S.IP				0.0.0.0/0           tcp spt:53 dpts:1023:65535 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:53 dpts:1023:65535 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 dpts:1023:65535 
    0     0 ACCEPT     udp  --  *      *       D.N.S.IP2		    0.0.0.0/0           udp spt:53 dpts:1023:65535 
    0     0 ACCEPT     tcp  --  *      *       D.N.S.IP2		    0.0.0.0/0           tcp spt:53 dpts:1023:65535 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:53 dpts:1023:65535 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 dpts:1023:65535 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spts:1023:65535 dpt:21 state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 21,20 state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 21,20 state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 dpts:513:65535 state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spts:1024:65535 dpt:22 flags:0x17/0x02 state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:22 state ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:33434:33534 
   38  2252 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    2    72 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 99 packets, 6103 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1333 2266K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   18   864 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/8           
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         
    0     0 DROP       all  --  *      *       0.0.0.0/0            169.254.0.0/16      
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.0.0.0/24        
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.0.2.0/24        
    0     0 DROP       all  --  *      *       0.0.0.0/0            198.18.0.0/15       
    0     0 DROP       all  --  *      *       0.0.0.0/0            198.51.100.0/24     
    0     0 DROP       all  --  *      *       0.0.0.0/0            203.0.113.0/24      
   17  2197 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 DROP       all  --  *      *       0.0.0.0/0            240.0.0.0/4         
  476 82586 TMP_DROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  476 82586 TALLOW     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  476 82586 TDENY      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  476 82586 TGALLOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  476 82586 TGDENY     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:135:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:135:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:513 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:513 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1433 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1433 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1434 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1434 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1234 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1234 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1524 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1524 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3127 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:3127 
  431 79796 OUT_SANITY  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  430 79734 FRAG_UDP   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  428 79610 PZERO      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  406 78246 P2P        all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  249 68279 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535 state RELATED,ESTABLISHED 
  133  8661 ACCEPT     udp  --  *      *       0.0.0.0/0            D.N.S.IP      udp spts:1023:65535 dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            D.N.S.IP      tcp spts:1023:65535 dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            D.N.S.IP2      udp spts:1023:65535 dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            D.N.S.IP2      tcp spts:1023:65535 dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            D.N.S.IP      udp spts:1023:65535 dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            D.N.S.IP      tcp spts:1023:65535 dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            D.N.S.IP2      udp spts:1023:65535 dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            D.N.S.IP2      tcp spts:1023:65535 dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:21 dpts:1023:65535 state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 21,20 state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 21,20 state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:33434:33534 
   13   624 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FRAG_UDP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       udp  -f  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_SANITY (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 

Chain OUT_SANITY (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20 

Chain P2P (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1214 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:1214 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:1214 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:1214 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2323 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:2323 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:2323 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:2323 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spts:1024:65534 dpts:4660:4678 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spts:4660:4678 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpts:4660:4678 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:4660:4678 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6257 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:6257 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6699 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:6699 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6346 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:6346 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6347 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:6347 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:6347 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:6347 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6346 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:6346 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:7778 reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:7778 dpts:1024:65534 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:1024:65534 dpt:7778 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:7778 dpts:1024:65534 reject-with icmp-port-unreachable 

Chain PROHIBIT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain PZERO (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:0 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:0 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:0 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:0 

Chain RESET (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 

Chain TALLOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       IN.SIDE.IP.0/24      0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            IN.SIDE.IP.0/24     
    0     0 ACCEPT     all  --  *      *       OLD.IP.SUBNET.0/24       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            OLD.IP.SUBNET.0/24      

Chain TDENY (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain TGALLOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain TGDENY (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain TMP_DROP (2 references)
 pkts bytes target     prot opt in     out     source               destination

Of special interest is that the subnet that this machine USED to be on is in this initial output (OLD.IP.SUBNET.0/24 above)

THEN ..
#/etc/init.d/iptables restart
#iptables -vnL
Code:
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2308 2913K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1301 packets, 211K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
 2286 2911K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
   11   652 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
   11   858 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

... the second is what I would expect to see. New output is simpler as I would expect it to be.

Finally, I've noted that the iptables rules seem to reset periodically (will try to catch an output when that happens next, not very predictable so far).

So, how would I get a clean rebuild of the iptables rules and get them to stick at reboot? I tried setting IPTABLES_SAVE_ON_RESTART = yes (not sure if syntax is 100% here) in iptables-config after a bounce/fix. That seems to hold them. But it does not hold when I reboot the box altogether (which I need to be careful doing).

Thanks again!
 
Old 10-13-2011, 07:40 AM   #4
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 193Reputation: 193
Quote:
So, how would I get a clean rebuild of the iptables rules and get them to stick at reboot?
Without knowing what distro you are using...

Check the iptables init script, and look to see what file it is trying to load as part of the "start" case.
In RHEL/CentOS/Fedora it is located in /etc/sysconfig/iptables

Once your rules are loaded, and you are happy with them, use iptables-save > /path/to/file/found_in_init_script

Last edited by fukawi1; 10-13-2011 at 07:44 AM. Reason: missed the quote explaining what i was answering
 
Old 10-13-2011, 07:42 AM   #5
jwlnx
LQ Newbie
 
Registered: Oct 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Bah! Meant to post that with iptables output. distro is RHEL5
... will give it a shot.

Thanks

Last edited by jwlnx; 10-13-2011 at 07:43 AM.
 
Old 10-13-2011, 08:05 AM   #6
jwlnx
LQ Newbie
 
Registered: Oct 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Exclamation

OK ... so when the firewall was in the state I wanted it I ran
#/etc/init.d/iptables save /etc/sysconfig/iptables

#reboot
<waited ... ssh'd in>
#less /etc/sysconfig/iptables
It looked like the second output. The shorter/correct version

This is a snippet from /etc/init.d/iptables script
Code:
....
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
...
So ... it is using that file (/etc/sysconfig/iptables)

BUT! ...
When I ran
#iptables -vnL
after the above reboot, I got the same behavior and same long output (first set of output in post above).

Should I try to change it to a new file using the save command and then alter the path/file used for IPTABLES_DATA to match the new file I save to?

Last edited by jwlnx; 10-13-2011 at 03:04 PM.
 
Old 10-14-2011, 03:38 AM   #7
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 193Reputation: 193
You say that /etc/sysconfig/iptables (after saving), looked like the "second output", do you mean the output above
Quote:
Originally Posted by jwlnx View Post
... the second is what I would expect to see. New output is simpler as I would expect it to be.
in your original post...
It shouldnt look like that, /etc/sysconfig/iptables should look something like:

Code:
# Generated by iptables-save v1.3.5 on Fri Aug 26 22:30:35 2011
*mangle
:PREROUTING ACCEPT [176481857:138345503282]
:INPUT ACCEPT [3070771:352528220]
:FORWARD ACCEPT [173410168:137992848189]
:OUTPUT ACCEPT [879088:119659080]
:POSTROUTING ACCEPT [174260220:138110902562]
COMMIT
# Completed on Fri Aug 26 22:30:35 2011
# Generated by iptables-save v1.3.5 on Fri Aug 26 22:30:35 2011
*nat
what happens if you manually run
Quote:
# iptables-save > /etc/sysconfig/iptables
rather than saving it via the init script
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Connection Refused Using Apache G24 Linux - Networking 14 09-24-2005 11:31 AM
iptables-connection refused a10392 Linux - Networking 0 11-15-2004 06:18 PM
Apache connection refused tarnishedXhalo Red Hat 2 05-19-2004 12:51 AM
updated iptables yet still connection refused amtron Linux - Networking 1 02-01-2004 12:57 AM
apache connection refused ariana Linux - Newbie 2 02-28-2003 11:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration