Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
10-12-2011, 01:01 PM
#1
LQ Newbie
Registered: Oct 2011
Posts: 4
Rep:
IPTables, Apache, Connection refused
We have two servers (one running apache, the other mysql ... happens with mysql as well even though title does not reflect that). We moved them across our network, gave them new IPs (static). Now ... when we reboot them, we can't connect to them. We get a connection reset (this happens localhost or remotely). However ... ssh works just fine (80,443 and 22 being allowed on the apache server and 22,3306 allowed on the mysql).
We run ...
/etc/init.d/iptables stop
OR
/etc/init.d/iptables restart
... that resolves and allows connections through
The rules appear correct in the iptables config file and show up as we expect them in the system-config-securitylevel GUI.
There's nothing apparent in /var/log/messages or elsewhere that we can find.
Any ideas as to why this may happen or anyone have any similar experience?
Thanks in advance!
Last edited by jwlnx; 10-12-2011 at 01:03 PM .
10-12-2011, 02:26 PM
#2
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
no, not without seeing the rules. if you have information that would be useful, it helps to give us that information. compare "iptables -vnL" in each state the system is in for starters.
10-13-2011, 07:18 AM
#3
LQ Newbie
Registered: Oct 2011
Posts: 4
Original Poster
Rep:
Thanks ....
OK ... so when it loads, the output is really long. It also is apparent why ssh works from the outset (that's explained in the rules) ...
Here is what it looks like at boot without an iptables restart. NOTE: minor obfuscation applied.
# iptables -vnL
Code:
Chain INPUT (policy ACCEPT 98 packets, 7602 bytes)
pkts bytes target prot opt in out source destination
1333 2266K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 192.0.0.0/24 0.0.0.0/0
0 0 DROP all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 DROP all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 DROP all -- * * 198.51.100.0/24 0.0.0.0/0
0 0 DROP all -- * * 203.0.113.0/24 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- * * 240.0.0.0/4 0.0.0.0/0
637 52397 TMP_DROP all -- * * 0.0.0.0/0 0.0.0.0/0
637 52397 TALLOW all -- * * 0.0.0.0/0 0.0.0.0/0
637 52397 TDENY all -- * * 0.0.0.0/0 0.0.0.0/0
637 52397 TGALLOW all -- * * 0.0.0.0/0 0.0.0.0/0
637 52397 TGDENY all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
108 8424 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1433
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1434
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1234
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1524
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1524
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3127
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3127
483 40427 IN_SANITY all -- * * 0.0.0.0/0 0.0.0.0/0
482 40349 FRAG_UDP all -- * * 0.0.0.0/0 0.0.0.0/0
480 40193 PZERO all -- * * 0.0.0.0/0 0.0.0.0/0
459 38555 P2P all -- * * 0.0.0.0/0 0.0.0.0/0
142 17148 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 limit: avg 30/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 5 limit: avg 30/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 limit: avg 30/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 30/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 30 limit: avg 30/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 30/sec burst 5
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
133 5328 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
134 12975 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * D.N.S.IP 0.0.0.0/0 udp spt:53 dpts:1023:65535
0 0 ACCEPT tcp -- * * D.N.S.IP 0.0.0.0/0 tcp spt:53 dpts:1023:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1023:65535
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1023:65535
0 0 ACCEPT udp -- * * D.N.S.IP2 0.0.0.0/0 udp spt:53 dpts:1023:65535
0 0 ACCEPT tcp -- * * D.N.S.IP2 0.0.0.0/0 tcp spt:53 dpts:1023:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1023:65535
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1023:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1023:65535 dpt:21 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:513:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 flags:0x17/0x02 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 state ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534
38 2252 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
2 72 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 99 packets, 6103 bytes)
pkts bytes target prot opt in out source destination
1333 2266K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
18 864 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/8
0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 DROP all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 DROP all -- * * 0.0.0.0/0 192.0.0.0/24
0 0 DROP all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 DROP all -- * * 0.0.0.0/0 198.18.0.0/15
0 0 DROP all -- * * 0.0.0.0/0 198.51.100.0/24
0 0 DROP all -- * * 0.0.0.0/0 203.0.113.0/24
17 2197 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 DROP all -- * * 0.0.0.0/0 240.0.0.0/4
476 82586 TMP_DROP all -- * * 0.0.0.0/0 0.0.0.0/0
476 82586 TALLOW all -- * * 0.0.0.0/0 0.0.0.0/0
476 82586 TDENY all -- * * 0.0.0.0/0 0.0.0.0/0
476 82586 TGALLOW all -- * * 0.0.0.0/0 0.0.0.0/0
476 82586 TGDENY all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1433
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1434
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1234
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1524
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1524
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3127
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3127
431 79796 OUT_SANITY all -- * * 0.0.0.0/0 0.0.0.0/0
430 79734 FRAG_UDP all -- * * 0.0.0.0/0 0.0.0.0/0
428 79610 PZERO all -- * * 0.0.0.0/0 0.0.0.0/0
406 78246 P2P all -- * * 0.0.0.0/0 0.0.0.0/0
249 68279 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
133 8661 ACCEPT udp -- * * 0.0.0.0/0 D.N.S.IP udp spts:1023:65535 dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 D.N.S.IP tcp spts:1023:65535 dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 D.N.S.IP2 udp spts:1023:65535 dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 D.N.S.IP2 tcp spts:1023:65535 dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 D.N.S.IP udp spts:1023:65535 dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 D.N.S.IP tcp spts:1023:65535 dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 D.N.S.IP2 udp spts:1023:65535 dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 D.N.S.IP2 tcp spts:1023:65535 dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1023:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534
13 624 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FRAG_UDP (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -f * * 0.0.0.0/0 0.0.0.0/0
Chain IN_SANITY (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
Chain OUT_SANITY (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
Chain P2P (2 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1214 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:1214 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1214 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2323 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2323 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:2323 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:2323 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65534 dpts:4660:4678 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:4660:4678 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpts:4660:4678 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:4660:4678 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6257 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6257 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6699 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6699 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6346 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6347 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6347 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6347 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:6347 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:6346 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:6346 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7778 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:7778 dpts:1024:65534 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65534 dpt:7778 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:7778 dpts:1024:65534 reject-with icmp-port-unreachable
Chain PROHIBIT (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain PZERO (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0
Chain RESET (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain TALLOW (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * IN.SIDE.IP.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 IN.SIDE.IP.0/24
0 0 ACCEPT all -- * * OLD.IP.SUBNET.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 OLD.IP.SUBNET.0/24
Chain TDENY (2 references)
pkts bytes target prot opt in out source destination
Chain TGALLOW (2 references)
pkts bytes target prot opt in out source destination
Chain TGDENY (2 references)
pkts bytes target prot opt in out source destination
Chain TMP_DROP (2 references)
pkts bytes target prot opt in out source destination
Of special interest is that the subnet that this machine USED to be on is in this initial output (OLD.IP.SUBNET.0/24 above)
THEN ..
#/etc/init.d/iptables restart
#iptables -vnL
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2308 2913K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1301 packets, 211K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
2286 2911K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
11 652 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
11 858 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
... the second is what I would expect to see. New output is simpler as I would expect it to be.
Finally, I've noted that the iptables rules seem to reset periodically (will try to catch an output when that happens next, not very predictable so far).
So, how would I get a clean rebuild of the iptables rules and get them to stick at reboot? I tried setting IPTABLES_SAVE_ON_RESTART = yes (not sure if syntax is 100% here) in iptables-config after a bounce/fix. That seems to hold them. But it does not hold when I reboot the box altogether (which I need to be careful doing).
Thanks again!
10-13-2011, 07:40 AM
#4
Member
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854
Rep:
Quote:
So, how would I get a clean rebuild of the iptables rules and get them to stick at reboot?
Without knowing what distro you are using...
Check the iptables init script, and look to see what file it is trying to load as part of the "start" case.
In RHEL/CentOS/Fedora it is located in /etc/sysconfig/iptables
Once your rules are loaded, and you are happy with them, use iptables-save > /path/to/file/found_in_init_script
Last edited by fukawi1; 10-13-2011 at 07:44 AM .
Reason: missed the quote explaining what i was answering
10-13-2011, 07:42 AM
#5
LQ Newbie
Registered: Oct 2011
Posts: 4
Original Poster
Rep:
Bah! Meant to post that with iptables output. distro is RHEL5
... will give it a shot.
Thanks
Last edited by jwlnx; 10-13-2011 at 07:43 AM .
10-13-2011, 08:05 AM
#6
LQ Newbie
Registered: Oct 2011
Posts: 4
Original Poster
Rep:
OK ... so when the firewall was in the state I wanted it I ran
#/etc/init.d/iptables save /etc/sysconfig/iptables
#reboot
<waited ... ssh'd in>
#less /etc/sysconfig/iptables
It looked like the second output. The shorter/correct version
This is a snippet from /etc/init.d/iptables script
Code:
....
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
...
So ... it is using that file (/etc/sysconfig/iptables)
BUT! ...
When I ran
#iptables -vnL
after the above reboot, I got the same behavior and same long output (first set of output in post above).
Should I try to change it to a new file using the save command and then alter the path/file used for IPTABLES_DATA to match the new file I save to?
Last edited by jwlnx; 10-13-2011 at 03:04 PM .
10-14-2011, 03:38 AM
#7
Member
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854
Rep:
You say that /etc/sysconfig/iptables (after saving), looked like the "second output", do you mean the output above
Quote:
Originally Posted by
jwlnx
... the second is what I would expect to see. New output is simpler as I would expect it to be.
in your original post...
It shouldnt look like that, /etc/sysconfig/iptables should look something like:
Code:
# Generated by iptables-save v1.3.5 on Fri Aug 26 22:30:35 2011
*mangle
:PREROUTING ACCEPT [176481857:138345503282]
:INPUT ACCEPT [3070771:352528220]
:FORWARD ACCEPT [173410168:137992848189]
:OUTPUT ACCEPT [879088:119659080]
:POSTROUTING ACCEPT [174260220:138110902562]
COMMIT
# Completed on Fri Aug 26 22:30:35 2011
# Generated by iptables-save v1.3.5 on Fri Aug 26 22:30:35 2011
*nat
what happens if you manually run
Quote:
# iptables-save > /etc/sysconfig/iptables
rather than saving it via the init script
All times are GMT -5. The time now is 06:03 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News