HTTP Access Blocked After iptables Update
I'm new here and I really don't know if I'm posting in the right place or if I should post it to the Software section, but here it goes...
Today I updated various things in my production server, one of them was
iptables (via yum)
I'm running CentOS 5.
1) After the update I was not able to access any site hosted on my server.
2) I try to stop iptables and than I gain access again.
3) Than I've started iptables and no access again.
4) I rebooted my server.
5) After the reboot I verify if iptables was active, it was and all my sites
6) I've restarted iptables.
7) All sites went down again.
8) Rebooted my server and sites were accessible.
9) iptables was also running
Basically the problem is, if I restart iptables, I have to reboot my server
because my sites become offline.
So, what can be the problem here? Any ideas?
Help is highly appreciated!!!!
Many thanks in advance.
Can you post your iptables here so we can see them? Obfuscate any IP addresses or confidential data you feel you must protect, but we can't help you debug your iptables if we can't see them.
Hi, thank you for your reply.
Want me to post # iptables -L -n result?
Sorry, I'm kind of newbie on iptables.
One more thing, I don't know if is useful but I've also updated kernel, may be related to it?
Thank you Jim.
I've upload it as attachment since is too long to paste it here.
OK, this is just a guess...
Your IPTABLE contains non-standard targets. Standard targets are ACCEPT, DROP, QUEUE, and RETURN. Your IPTABLE contains IN-SANITY, TMP_DROP, TALLOW, TDENY, TGALLOW, TGDENY, PHP, DSHIELD, SDROP, FRAG_UDP, and others, all of which appear to be set by Advanced Policy Firewall.
So the first thing I'd do is check to see if updating your server broke APF. Since APF introduces those non-standard targets, I'd assume your upgrade included an upgrade to iptable, which could have overwritten the changes introduced by APF.
If that's the case, re-installing APF may fix it.
Hello Jim Bengtson!
Thank you very much for you reply.
I've tested APF and it seems to be running fine.
However my guess (and based on your help) is that since I'm not saving iptables before I restart it (service iptables restart), when it starts all those settings introduced by APF are gone.
At boot, APF must send the correct settings to iptables.
This comes to my mind after I checked the iptables file
here is an exert of the configuration:
I've just notice that the above settings are overide by iptables-config file, but I took a look at it and it has basicly the same settings, here it is:
Again, many thanks in advance for your help.
PS: I've deleted the iptables.txt attachment since you look at it already.
Looks to me like you've found your answer. If you agree, mark this thread as "Solved".
Yes, I'll mark it as solved.
However I would like to specify that my last advise on this is that, if you have APF, use APF, don't bother with iptables, APF will handle it just fine.
At the end, I haven't change anything in my iptables configurations, I can start and stop APF with no issues and that's what matters.
Thank you for your help Jim Bengtson.
|All times are GMT -5. The time now is 12:49 AM.|