LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-03-2009, 04:42 PM   #1
IceBurn
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Rep: Reputation: 0
Unhappy HTTP Access Blocked After iptables Update


Hello all!

I'm new here and I really don't know if I'm posting in the right place or if I should post it to the Software section, but here it goes...

Today I updated various things in my production server, one of them was
iptables (via yum)

I'm running CentOS 5.

1) After the update I was not able to access any site hosted on my server.

2) I try to stop iptables and than I gain access again.

3) Than I've started iptables and no access again.

4) I rebooted my server.

5) After the reboot I verify if iptables was active, it was and all my sites
were accesible.

6) I've restarted iptables.

7) All sites went down again.

8) Rebooted my server and sites were accessible.

9) iptables was also running

Basically the problem is, if I restart iptables, I have to reboot my server
because my sites become offline.

So, what can be the problem here? Any ideas?

Help is highly appreciated!!!!

Many thanks in advance.
 
Old 11-03-2009, 04:45 PM   #2
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Can you post your iptables here so we can see them? Obfuscate any IP addresses or confidential data you feel you must protect, but we can't help you debug your iptables if we can't see them.
 
Old 11-03-2009, 05:04 PM   #3
IceBurn
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Hi, thank you for your reply.

Want me to post # iptables -L -n result?

Sorry, I'm kind of newbie on iptables.

One more thing, I don't know if is useful but I've also updated kernel, may be related to it?
 
Old 11-03-2009, 05:14 PM   #4
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Want me to post # iptables -L -n result?
Yes, that will do. Since this is a public forum, make sure to remove anything (IP addresses...) that you don't want the world to know about.
 
Old 11-03-2009, 05:38 PM   #5
IceBurn
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Thank you Jim.

I've upload it as attachment since is too long to paste it here.

Last edited by IceBurn; 11-04-2009 at 09:55 PM.
 
Old 11-04-2009, 02:14 PM   #6
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
OK, this is just a guess...

Your IPTABLE contains non-standard targets. Standard targets are ACCEPT, DROP, QUEUE, and RETURN. Your IPTABLE contains IN-SANITY, TMP_DROP, TALLOW, TDENY, TGALLOW, TGDENY, PHP, DSHIELD, SDROP, FRAG_UDP, and others, all of which appear to be set by Advanced Policy Firewall.

So the first thing I'd do is check to see if updating your server broke APF. Since APF introduces those non-standard targets, I'd assume your upgrade included an upgrade to iptable, which could have overwritten the changes introduced by APF.

If that's the case, re-installing APF may fix it.
 
Old 11-04-2009, 02:51 PM   #7
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Exclamation

Quote:
4) I rebooted my server.

5) After the reboot I verify if iptables was active, it was and all my sites
were accesible.

6) I've restarted iptables.

7) All sites went down again.
That suggests that perhaps there's something that runs at startup...perhaps something that starts the APF firewall...that is not running later when you turn iptables off and then back on again. You might want to check that before you reinstall APF.
 
Old 11-04-2009, 09:54 PM   #8
IceBurn
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Hello Jim Bengtson!

Thank you very much for you reply.

I've tested APF and it seems to be running fine.

However my guess (and based on your help) is that since I'm not saving iptables before I restart it (service iptables restart), when it starts all those settings introduced by APF are gone.

At boot, APF must send the correct settings to iptables.

This comes to my mind after I checked the iptables file

/etc/init.d/iptables
here is an exert of the configuration:
Code:
# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
What do you think?

EDIT:

I've just notice that the above settings are overide by iptables-config file, but I took a look at it and it has basicly the same settings, here it is:

/etc/sysconfig/iptables-config
Code:
# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"


# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"


Again, many thanks in advance for your help.


PS: I've deleted the iptables.txt attachment since you look at it already.

Last edited by IceBurn; 11-04-2009 at 10:06 PM.
 
Old 11-05-2009, 09:31 AM   #9
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Looks to me like you've found your answer. If you agree, mark this thread as "Solved".
 
Old 11-05-2009, 03:59 PM   #10
IceBurn
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Yes, I'll mark it as solved.

However I would like to specify that my last advise on this is that, if you have APF, use APF, don't bother with iptables, APF will handle it just fine.

At the end, I haven't change anything in my iptables configurations, I can start and stop APF with no issues and that's what matters.

Thank you for your help Jim Bengtson.
 
  


Reply

Tags
blocked, centos, http, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure Iptables to accept remote http & ftp access m_abdelfattah Linux - Newbie 3 08-04-2008 06:36 AM
after update I can't access my http server t.j.sorrow Suse/Novell 1 10-12-2007 05:05 PM
iptables, no access through http Israfel2000 Linux - Security 5 10-14-2005 07:01 PM
Iptables-Client http-access only for few domains dnla Linux - Newbie 0 09-25-2003 06:05 AM
access http when itz blocked zero_kewl Linux - General 5 08-22-2003 11:07 AM


All times are GMT -5. The time now is 04:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration