LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-17-2010, 03:16 AM   #1
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 292

Rep: Reputation: 34
Strange problem with Iptables


I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,

[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:n fs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s sh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:n etbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:n etbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:n etbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:m icrosoft-ds
REJECT all -- anywhere anywhere reject-with icmp-ho st-prohibited

[root@myhome ~]# iptables -F
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination

[root@myhome ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]

[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Configuration of /etc/sysconfig/iptables:---

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Any help will be appreciated.

Thanks
 
Old 09-17-2010, 03:29 AM   #2
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Flushing the iptables temporarily disables the firewall. And if the rules are saved in the file, then upon restarting the firewall the old rules will take effect. If you want to flush the rules, then save the flushed rules.
 
Old 09-17-2010, 03:42 AM   #3
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
if you want to flush IPTABLES rules permanently save iptables after flush.

Code:
#iptables -F
# service iptables save
# service iptables restart
Regards,
 
1 members found this post helpful.
Old 09-17-2010, 03:56 AM   #4
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Thumbs up

use lokkit to disable if using redhat version
u can also use system-config-firewall and disable firewall
also do as mentioned by others use
iptables -F
/etc/init.d/iptables save
/etc/init.d/iptables restart
 
Old 09-24-2010, 02:08 AM   #5
smilemukul
Member
 
Registered: Jun 2009
Distribution: Redhat,CentOS,Ubuntu,Puppet
Posts: 292

Original Poster
Rep: Reputation: 34
Thanks friends my problem is solved.

Also why file /etc/sysconfig/iptables-save or iptables-save command is used as shown,

[root@myhome ~]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Sep 6 12:34:01 2010
*filter
:INPUT ACCEPT [2233:159918]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1632:182507]
:RH-Firewall-1-INPUT - [0:0]
COMMIT


Thanks
 
Old 09-24-2010, 02:31 AM   #6
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
The command is used to save the current iptables configuration to a file so that it can be restored if system is rebooted.
 
Old 09-24-2010, 02:31 AM   #7
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Please mark the thread as solved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables and NAT strange problem shukalo83 Linux - Networking 3 02-08-2012 06:06 AM
Strange IPTables or Perhaps its not IPtables problem? helptonewbie Linux - Security 4 01-28-2009 08:54 AM
strange x server problem with my iptables def. Metaloid Linux - Networking 3 07-15-2004 03:31 PM
Strange problem about iptables DNAT. zufeng Linux - Networking 1 06-28-2003 12:09 PM
Strange iptables firewall problem. Bomber Linux - Security 5 01-15-2002 07:33 PM


All times are GMT -5. The time now is 08:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration