Hi there! I'm no linux pro, and I have a problem with my IP tables. I am trying to open a couple of port ranges and it isn't working for whatever reason. The current code is:

-A INPUT -p udp -m state -m udp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT


Neither line seems to do what I want it to do. What have I done wrong? I can't seem to tell.

Thanks for your help!

well you've not said what you want it to do really... They look like they might be "correct" but you may hae added them after a final DROP line on the rulebase? Context would be handy, "iptables -vnL" would show that. Moreover that though, you'll need to save them in a rulebase, and I'd do that by editing /etc/sysconfig/iptables directly anyway, so the context and layout of rules in there should be very simple to understand (presuming your unnamed distro uses that file)

Sorry, I should have been more specific! I'm running RHEL 6.2. It's actually Oracle Linux 6.2 but it's basically the same thing, so I understand. The line is amongst other lines that do work and was added directly to iptables using vi. The config doesn't show when running iptables -vnL as it is currently hashed out as it didnt work during testing. The server is a production server and I don't want to disrupt anything by unhashing it and restarting iptables during the day. Whether the worry of taking down the servers firewall is warranted or not, I don't know.

I was wondering if there was anything obviously wrong with it before I start playing too much. I had copied the previous entries and added it as a range instead of a single port and wanted to accept established connections as well as new ones. The format may not be correct for port ranges. I don't know as I have found a couple of conflicting views on configuring port ranges in iptables.

Here's the complete file:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
# Allow daytime response
-A INPUT -p tcp -m state -m tcp --dport 13 --state NEW -j ACCEPT
# Allow ftp data
-A INPUT -p tcp -m state -m tcp --dport 20 --state NEW -j ACCEPT
# Allow SSH
-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
# Allow http
-A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
# Allow Samba NetBios Name Resolution
-A INPUT -p tcp -m state -m tcp --dport 137 --state NEW -j ACCEPT
# Allow Samba NetBios Datagrams
-A INPUT -p tcp -m state -m tcp --dport 138 --state NEW -j ACCEPT
# Allow Samba NetBios Sessions
-A INPUT -p tcp -m state -m tcp --dport 139 --state NEW -j ACCEPT
# Allow snmp
-A INPUT -p udp -m state -m udp --dport 161 --state NEW -j ACCEPT
# Allow https
-A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
# Allow Samba Microsoft Directory Services
-A INPUT -p tcp -m state -m tcp --dport 445 --state NEW -j ACCEPT
# Allow Oracle SQL-Net
-A INPUT -p tcp -m state -m tcp --dport 1521 --state NEW -j ACCEPT
# Allow Tomcat
-A INPUT -p tcp -m state -m tcp --dport 8080 --state NEW -j ACCEPT
# Allow Tomcat
-A INPUT -p tcp -m state -m tcp --dport 8081 --state NEW -j ACCEPT
# Allow BackupExec Agent
-A INPUT -p tcp -m state -m tcp --dport 6103 --state NEW -j ACCEPT
# Allow BackupExec Agent
-A INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEPT
# Allow Webmin
-A INPUT -p tcp -m state -m tcp --dport 11000 --state NEW -j ACCEPT
# This rule overlaps the Webmin rule - unknown why there is a port range
# -A INPUT -p tcp -m state -m tcp --dport 11000:11010 -j ACCEPT
# Allow ERS Server
-A INPUT -p tcp -m state -m tcp --dport 10348 --state NEW -j ACCEPT
# Allow JMX engine monitoring
#-A INPUT -p tcp -m state -m tcp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p udp -m state -m udp --dport 10498:10804 --state NEW,ESTABLISHED -j ACCEPT
# Allow Usermin
-A INPUT -p tcp -m state -m tcp --dport 20000 --state NEW -j ACCEPT
# Allow BackupExec Server
-A INPUT -s 172.16.150.42 -j ACCEPT
# Log all traffic that reached here - this would normally get dropped
# -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# # Allow all traffic - IH, EDWT, 24-July-2012 - Issues with IPTables not matching rules
# -A INPUT -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

well it looks just fine there, did you ever see it in the iptables output? Why is it hashed out? Surely if it wasn't working, then it's only not allowing, like it's also not allowing if hashed out... just being careful, or am I missing something that might be relevant?

I'd drop the established bit though, that's irrelevant as you're matching existing connectiosn at the top already.

Thanks for your help. I was just being careful, that's all. I didn't see the point of leaving in settings that didn't work, as I might have forgotten it didn't work when I came back to it later! I'll restart iptables later tonight with the established removed and see if it makes any difference. Thanks.