LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-11-2013, 07:09 AM   #1
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Rep: Reputation: Disabled
during system startup, iptables rules not loaded from /etc/sysconfig/iptables


Hi,
I have a new question regarding the iptables. I have a host system which is linux redhat enterprise 6.4, I also have a KVM installed.... I have issue with ping from KVM to outside network, and I find somehow it relates to iptables at host side. Whenever host linux reboot, I have to manually use command "service iptables restart" to flush the rules and load it from /etc/sysconfig/iptables, after that i then can ping outside network from KVM.

Right after linux reboot, command "iptables -L " shows:

... snip ....
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.123.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

...snip ...

Look at /etc/sysconfig/iptables, it shows:

# Enable forward between KVM server and virtual machines
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.123.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.123.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable

So after "service iptables restart", the contents in /etc/sysconfig/iptables unchanged, and match "iptables -L " output:

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.123.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

How to find out which script adds the rules that not in /etc/sysconfig/iptables ?

Thanks,
Dan
 
Old 04-12-2013, 07:00 AM   #2
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
I made some progress: right after the system startup, i used "iptables -L -v --line

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
3 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
4 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
7 0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
8 0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable
9 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
10 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
11 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
12 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
13 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
14 0 0 ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
15 0 0 ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere
16 0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
17 0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
18 0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable

line 6,7,8 are wrong, should be like 14,15,16,17, after iptables restart, the rules on FORWARD chain:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
3 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
4 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
6 155 27917 ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
7 242 55532 ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere
8 0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
9 0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
10 0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable

Questions:
1, why duplicate rules?
2. in FORWARD chain before iptables restart, why two lines missing before line 6, there should be two lines like this:

ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere
3. can I add some debug code in somewhere to trace the problem ?
 
Old 04-12-2013, 11:32 PM   #3
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
Found the problem: when I used virtual machine manager to define the network, i chose ISOLATED network, of course it didn't work, because libvirtd applied ISOLATED rules in iptables.After iptables restart, only default rules are left, the pings are thru.what a silly mistake.
 
Old 04-13-2013, 02:09 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
WD fixing it yourself!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i load iptables rules at startup synaptical Debian 6 07-15-2005 11:28 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
startup script to set up iptables rules doesn't run alexfittyfives Debian 2 06-01-2004 07:21 PM
how to get iptables to load rules on startup ? qwijibow Linux - Security 5 09-02-2003 09:48 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 11:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration