LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 04-08-2010, 08:43 PM   #1
rfreiberger
Member
 
Registered: Jul 2009
Location: Union City, CA, USA
Distribution: FreeBSD, Mint, CentOS
Posts: 35

Rep: Reputation: 16
Servers on same subnet, same iptables, but can not access Webmin on one


Got this strange problem and not sure what's causing it.

Two servers, one is RHEL 4, and the other is RHEL 5. They are both on the same subnet, one is 10 the other is 11. I added the Webmin rule to the iptables config file but for some reason, the RHEL 4 server, I can access Webmin but the RHEL 5 server I can not. I checked the iptables file and they are the same for both servers, except two rules which are for other ports.

Server 2, when iptables is enabled, can not access Webmin port 10000

> cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 5666 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

Server 1, when iptables is enabled, can access Webmin port 10000

> cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 53 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 5666 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

I'm reading about the iptables and had a problem when I manually added the port 10000 entry after the REJECT entry, but wondering if I need to move it up higher or maybe there's another possible block?

Thanks,
Rob
 
Old 04-08-2010, 09:06 PM   #2
Awatto
Member
 
Registered: Aug 2003
Location: Halifax, NS
Distribution: Debian, Gentoo, Ubuntu, Fedora
Posts: 128

Rep: Reputation: 30
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1000 -j ACCEPT

^^ Could this be your problem in the first configuration?
 
Old 04-08-2010, 09:14 PM   #3
rfreiberger
Member
 
Registered: Jul 2009
Location: Union City, CA, USA
Distribution: FreeBSD, Mint, CentOS
Posts: 35

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by Awatto View Post
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1000 -j ACCEPT

^^ Could this be your problem in the first configuration?
I can't believe I missed that. I even printed out the configs on paper and looked them over.

Thanks for a second set of eyes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't communicate with servers on same subnet CarlKB Linux - Networking 3 04-20-2009 11:28 AM
iptables: local proFTPd server and remote FTP servers access jordib Linux - Networking 2 05-04-2008 03:46 PM
OpenVPN-client connects,cant see servers subnet andbn Linux - Networking 0 10-29-2007 01:24 PM
using iptables to ban a subnet? Sm0k3 Linux - Networking 4 01-24-2004 04:25 PM
nslookup returns local ip when resolving another servers fqdn on same subnet nodrogx Linux - Networking 3 10-28-2003 03:12 PM


All times are GMT -5. The time now is 08:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration