[SOLVED] Strange problem with Iptables

smilemukul · 09-17-2010, 02:16 AM

I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,

[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:n fs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s sh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:n etbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:n etbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:n etbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:m icrosoft-ds
REJECT all -- anywhere anywhere reject-with icmp-ho st-prohibited

[root@myhome ~]# iptables -F
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination

[root@myhome ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]

[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Configuration of /etc/sysconfig/iptables:---

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Any help will be appreciated.

Thanks

linuxlover.chaitanya · 09-17-2010, 02:29 AM

Flushing the iptables temporarily disables the firewall. And if the rules are saved in the file, then upon restarting the firewall the old rules will take effect. If you want to flush the rules, then save the flushed rules.

sem007 · 09-17-2010, 02:42 AM

if you want to flush IPTABLES rules permanently save iptables after flush.

Code:

#iptables -F
# service iptables save
# service iptables restart

Regards,

prayag_pjs · 09-17-2010, 02:56 AM

use lokkit to disable if using redhat version
u can also use system-config-firewall and disable firewall
also do as mentioned by others use
iptables -F
/etc/init.d/iptables save
/etc/init.d/iptables restart

smilemukul · 09-24-2010, 01:08 AM

Thanks friends my problem is solved.

Also why file /etc/sysconfig/iptables-save or iptables-save command is used as shown,

[root@myhome ~]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Sep 6 12:34:01 2010
*filter
:INPUT ACCEPT [2233:159918]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1632:182507]
:RH-Firewall-1-INPUT - [0:0]
COMMIT

Thanks

linuxlover.chaitanya · 09-24-2010, 01:31 AM

The command is used to save the current iptables configuration to a file so that it can be restored if system is rebooted.

linuxlover.chaitanya · 09-24-2010, 01:31 AM

Please mark the thread as solved.