[SOLVED] HTTP Access Blocked After iptables Update

IceBurn · 11-03-2009, 04:42 PM

Hello all!

I'm new here and I really don't know if I'm posting in the right place or if I should post it to the Software section, but here it goes...

Today I updated various things in my production server, one of them was
iptables (via yum)

I'm running CentOS 5.

1) After the update I was not able to access any site hosted on my server.

2) I try to stop iptables and than I gain access again.

3) Than I've started iptables and no access again.

4) I rebooted my server.

5) After the reboot I verify if iptables was active, it was and all my sites
were accesible.

6) I've restarted iptables.

7) All sites went down again.

8) Rebooted my server and sites were accessible.

9) iptables was also running

Basically the problem is, if I restart iptables, I have to reboot my server
because my sites become offline.

So, what can be the problem here? Any ideas?

Help is highly appreciated!!!!

Many thanks in advance.

Jim Bengtson · 11-03-2009, 04:45 PM

Can you post your iptables here so we can see them? Obfuscate any IP addresses or confidential data you feel you must protect, but we can't help you debug your iptables if we can't see them.

IceBurn · 11-03-2009, 05:04 PM

Hi, thank you for your reply.

Want me to post # iptables -L -n result?

Sorry, I'm kind of newbie on iptables.

One more thing, I don't know if is useful but I've also updated kernel, may be related to it?

Jim Bengtson · 11-03-2009, 05:14 PM

Quote:

Want me to post # iptables -L -n result?

Yes, that will do. Since this is a public forum, make sure to remove anything (IP addresses...) that you don't want the world to know about.

IceBurn · 11-03-2009, 05:38 PM

Thank you Jim.

I've upload it as attachment since is too long to paste it here.

Jim Bengtson · 11-04-2009, 02:14 PM

OK, this is just a guess...

Your IPTABLE contains non-standard targets. Standard targets are ACCEPT, DROP, QUEUE, and RETURN. Your IPTABLE contains IN-SANITY, TMP_DROP, TALLOW, TDENY, TGALLOW, TGDENY, PHP, DSHIELD, SDROP, FRAG_UDP, and others, all of which appear to be set by Advanced Policy Firewall.

So the first thing I'd do is check to see if updating your server broke APF. Since APF introduces those non-standard targets, I'd assume your upgrade included an upgrade to iptable, which could have overwritten the changes introduced by APF.

If that's the case, re-installing APF may fix it.

Jim Bengtson · 11-04-2009, 02:51 PM

Quote:

4) I rebooted my server.

5) After the reboot I verify if iptables was active, it was and all my sites
were accesible.

6) I've restarted iptables.

7) All sites went down again.

That suggests that perhaps there's something that runs at startup...perhaps something that starts the APF firewall...that is not running later when you turn iptables off and then back on again. You might want to check that before you reinstall APF.

IceBurn · 11-04-2009, 09:54 PM

Hello Jim Bengtson!

Thank you very much for you reply.

I've tested APF and it seems to be running fine.

However my guess (and based on your help) is that since I'm not saving iptables before I restart it (service iptables restart), when it starts all those settings introduced by APF are gone.

At boot, APF must send the correct settings to iptables.

This comes to my mind after I checked the iptables file

/etc/init.d/iptables
here is an exert of the configuration:

Code:

# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"

What do you think?

EDIT:

I've just notice that the above settings are overide by iptables-config file, but I took a look at it and it has basicly the same settings, here it is:

/etc/sysconfig/iptables-config

Code:

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"


# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

Again, many thanks in advance for your help.

PS: I've deleted the iptables.txt attachment since you look at it already.

Jim Bengtson · 11-05-2009, 09:31 AM

Looks to me like you've found your answer. If you agree, mark this thread as "Solved".

IceBurn · 11-05-2009, 03:59 PM

Yes, I'll mark it as solved.

However I would like to specify that my last advise on this is that, if you have APF, use APF, don't bother with iptables, APF will handle it just fine.

At the end, I haven't change anything in my iptables configurations, I can start and stop APF with no issues and that's what matters.

Thank you for your help Jim Bengtson.