Hello all,
I have a simple firewall script which runs well on one node(RHEL5) but fails on the server(RHEL5) machine(not allowing the connections).
On both the machines SELinux is disabled.
Is there any other security setting to be set/unset?

The script goes like :

iptables -F

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# MultiPorts (Allow incoming ssh,ftp, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,21,80,443 -m state --state ESTABLISHED -j ACCEPT

Maybe add a LOG rule to the end of both chains and show us what entries are generated when failure occurs? AFAICT, the only service which should fail with those rules is FTP. BTW, I'd recommend adding a rule for packets in state RELATED to each of those chains.

Also, is that your entire ruleset? I'd at least add:

Thank you both for replying.
This is the script being run:


iptables -F

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# MultiPorts (Allow incoming ssh,ftp, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,21,80,443 -m state --state ESTABLISHED -j ACCEPT

# MultiPorts (Allow outgoing ssh,ftp, HTTP, and HTTPS 3128 for squid)
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 22,21,80,443,3128 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sports 22,21,80,443,3128 -m state --state ESTABLISHED -j ACCEPT

# allow data transfer from remote ftp server
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# allow data transfer to local ftp server
iptables -A OUTPUT -o eth0 -p tcp --sport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# allow incoming loopback connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# allow incoming ping connections
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-reply -j ACCEPT

# allow outgoing ping connections
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT


#Log the dropped packets
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "




When it is run on a node( say node1 )it runs fine. But when the same script is run on the server ,it doesn't work(only ping works in/out both).

Log generated when incoming hhtp req is tried on the server (172.32.0.250) is :

.
.
.
Aug 5 17:49:09 localhost kernel: INPUT DROP: IN=eth1 OUT= MAC=00:09:6b:7f:4e:6e:00:1d:09:19:27:59:08:00 SRC=172.32.0.101 DST=172.32.0.250 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53407 DF PROTO=TCP SPT=17153 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Aug 5 17:49:21 localhost kernel: INPUT DROP: IN=eth1 OUT= MAC=00:09:6b:7f:4e:6e:00:1d:09:19:27:59:08:00 SRC=172.32.0.101 DST=172.32.0.250 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53408 DF PROTO=TCP SPT=17153 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Aug 5 17:49:45 localhost kernel: INPUT DROP: IN=eth1 OUT= MAC=00:09:6b:7f:4e:6e:00:1d:09:19:27:59:08:00 SRC=172.32.0.101 DST=172.32.0.250 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53409 DF PROTO=TCP SPT=17153 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0




What could be the reason?

It's the interface name.

The rules explicitly state eth0, not eth1 (so the packets don't match the rules).

2 members found this post helpful.

Thank you very much!
And am really very sorry, just forgot that!