LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-04-2012, 08:06 AM   #1
Simkill
LQ Newbie
 
Registered: Dec 2012
Posts: 3

Rep: Reputation: Disabled
Iptable config question


Hi there! I'm no linux pro, and I have a problem with my IP tables. I am trying to open a couple of port ranges and it isn't working for whatever reason. The current code is:

-A INPUT -p udp -m state -m udp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT


Neither line seems to do what I want it to do. What have I done wrong? I can't seem to tell.

Thanks for your help!
 
Old 12-04-2012, 08:12 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
well you've not said what you want it to do really... They look like they might be "correct" but you may hae added them after a final DROP line on the rulebase? Context would be handy, "iptables -vnL" would show that. Moreover that though, you'll need to save them in a rulebase, and I'd do that by editing /etc/sysconfig/iptables directly anyway, so the context and layout of rules in there should be very simple to understand (presuming your unnamed distro uses that file)
 
Old 12-04-2012, 08:26 AM   #3
Simkill
LQ Newbie
 
Registered: Dec 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Sorry, I should have been more specific! I'm running RHEL 6.2. It's actually Oracle Linux 6.2 but it's basically the same thing, so I understand. The line is amongst other lines that do work and was added directly to iptables using vi. The config doesn't show when running iptables -vnL as it is currently hashed out as it didnt work during testing. The server is a production server and I don't want to disrupt anything by unhashing it and restarting iptables during the day. Whether the worry of taking down the servers firewall is warranted or not, I don't know.

I was wondering if there was anything obviously wrong with it before I start playing too much. I had copied the previous entries and added it as a range instead of a single port and wanted to accept established connections as well as new ones. The format may not be correct for port ranges. I don't know as I have found a couple of conflicting views on configuring port ranges in iptables.

Here's the complete file:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
# Allow daytime response
-A INPUT -p tcp -m state -m tcp --dport 13 --state NEW -j ACCEPT
# Allow ftp data
-A INPUT -p tcp -m state -m tcp --dport 20 --state NEW -j ACCEPT
# Allow SSH
-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
# Allow http
-A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
# Allow Samba NetBios Name Resolution
-A INPUT -p tcp -m state -m tcp --dport 137 --state NEW -j ACCEPT
# Allow Samba NetBios Datagrams
-A INPUT -p tcp -m state -m tcp --dport 138 --state NEW -j ACCEPT
# Allow Samba NetBios Sessions
-A INPUT -p tcp -m state -m tcp --dport 139 --state NEW -j ACCEPT
# Allow snmp
-A INPUT -p udp -m state -m udp --dport 161 --state NEW -j ACCEPT
# Allow https
-A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
# Allow Samba Microsoft Directory Services
-A INPUT -p tcp -m state -m tcp --dport 445 --state NEW -j ACCEPT
# Allow Oracle SQL-Net
-A INPUT -p tcp -m state -m tcp --dport 1521 --state NEW -j ACCEPT
# Allow Tomcat
-A INPUT -p tcp -m state -m tcp --dport 8080 --state NEW -j ACCEPT
# Allow Tomcat
-A INPUT -p tcp -m state -m tcp --dport 8081 --state NEW -j ACCEPT
# Allow BackupExec Agent
-A INPUT -p tcp -m state -m tcp --dport 6103 --state NEW -j ACCEPT
# Allow BackupExec Agent
-A INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEPT
# Allow Webmin
-A INPUT -p tcp -m state -m tcp --dport 11000 --state NEW -j ACCEPT
# This rule overlaps the Webmin rule - unknown why there is a port range
# -A INPUT -p tcp -m state -m tcp --dport 11000:11010 -j ACCEPT
# Allow ERS Server
-A INPUT -p tcp -m state -m tcp --dport 10348 --state NEW -j ACCEPT
# Allow JMX engine monitoring
#-A INPUT -p tcp -m state -m tcp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p udp -m state -m udp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT

# Allow Usermin
-A INPUT -p tcp -m state -m tcp --dport 20000 --state NEW -j ACCEPT
# Allow BackupExec Server
-A INPUT -s 172.16.150.42 -j ACCEPT
# Log all traffic that reached here - this would normally get dropped
# -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# # Allow all traffic - IH, EDWT, 24-July-2012 - Issues with IPTables not matching rules
# -A INPUT -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
 
Old 12-04-2012, 08:48 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
well it looks just fine there, did you ever see it in the iptables output? Why is it hashed out? Surely if it wasn't working, then it's only not allowing, like it's also not allowing if hashed out... just being careful, or am I missing something that might be relevant?

I'd drop the established bit though, that's irrelevant as you're matching existing connectiosn at the top already.
 
Old 12-04-2012, 08:55 AM   #5
Simkill
LQ Newbie
 
Registered: Dec 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for your help. I was just being careful, that's all. I didn't see the point of leaving in settings that didn't work, as I might have forgotten it didn't work when I came back to it later! I'll restart iptables later tonight with the established removed and see if it makes any difference. Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
system-config-security and custom iptable rules, where? abolishtheun Linux - Newbie 3 06-18-2009 07:39 PM
IPTABLE config - I want to deploy iptables in 5.3 x86_64 arigdon LinuxQuestions.org Member Intro 2 05-21-2009 01:06 PM
Iptable config files? imagineers7 Linux - Security 8 06-12-2006 07:23 PM
where is the iptable config file? what is it's name? gonus Linux - Networking 2 07-12-2004 03:36 PM
iptable problem upon nic config dillinja Linux - Hardware 3 08-06-2003 09:38 AM


All times are GMT -5. The time now is 05:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration