how to unDROP ex-bogons in iptables
When I do iptables -L I see a lot of stuff. I was trying to find out where that stuff
comes from so I could delete a line in the config with no luck. This is a RH. I looked in /etc/rc.d/init.d there is a script called iptables. It has a var in it which seems to be telling where there is an iptables config script. also some data. So I go where that points to, and sure enough there is the config script. but it is bogus, everything in it is commented out. and there is no data file where it says there should be one. So I'm not even sure this script is being called? HOW DO THESE THINGS GET INITIALIZED!!! Next question.... in the INPUT chain I have a line that looks like this... DROP all -- 72.0.0.0/8 anywhere I think I no longer want that line there because that ip address range has become valid. (or so I'm told) I'm told you can do iptables -D like iptables -D INPUT --dport 80 -j DROP but mine lines don't look like that. I can't screw with this. it has to work and anyway I think that would be a temporary change. I want this change to stick... If I could just find where it is coming from... |
init script of iptables saves the config file as /etc/sysconfig/iptables
u can edit that file directly and remove that line, after that restart iptables. another way, u can delete that rule with number of rule. do "iptables -nvL" look that rule where it is. then iptables -D $chain $rule_number after that dont forget to save iptables. good luck. |
The actual default iptables script for Redhat/Fedora is in /etc/sysconfig/iptables. However don't directly edit the file itself, find the line that's blocking the 72.0.0.0/8 network and use the iptables -D option, then do: service iptable save. If you have problems, post the iptables script (remove your IP if it's there).
|
no /etc/sysconfig/iptables
But that's the problem guys
there IS NO file called /etc/sysconfig/iptables so I don't KNOW where the/ stuff is coming from so if I did do a -D then where/how would I save it so it can find it later. furthermore I chkconfig and ipchains is turned ON at runlevels 2,3,4,5 iptables is turned on at runlevel 2. However it tells me ipchains is incompatible with this kernel. It makes no sense to me it's set like that. I've also checked for some other script like rc.firewall and any thing in rc.local and come up empty. This server is a colo. Could it be the service provider is somehow feeding it in on boot? |
Usually runlevel 2 isn't used under normal operation, so it looks like you're running ipchains (look for the /etc/sysconfig/ipchains file). Use the runlevel command to determine what runlevel you are in. Probably the best way to determine what firewall is actually running is to use service iptables status and service ipchains status. The iptables -L command will help confim this (if it gives you an error message, then iptables is off).
If you are running ipchains, I would really recommend switching to iptables. Though if you're using ipchains, you can still use the ipchains -D option to delete a rule, though remember that the chain names are lower case in ipchains. |
not running ipchains
I am not running ipchains, that's why it seems odd that it is chkconfig
Quote:
I know I can delete a rule. My WHOLE problem is where ARE THE RULES STORED so that I can save it there after I delete it. |
Check /etc/rc.d/init.d/iptables and see where the iptables variables point. Also check /etc/rc.d/rc.local for any overriding script. If it's some kind of non-standard configuration, then you'll need to do some detective work and look in the /etc/rc.d subdirectories. Part of why I'm asking you what runlevel you are in is because the runlevel determines what rcX.d folder is run by init. Since you have iptables on only at runlevel 2, I'd say /etc/rc.d/rc2.d/. You should find an iptables file in that subfolder. This is where the system init determines where to gather the iptables rules. Normally though all the rc iptables files and /etc/init.d/iptables files should just be links to /etc/rc.d/init.d/iptables. Also, please stop typing in caps.
|
Quote:
copied from the iptables script: IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES As per post #1 there is no /etc/sysconfig/iptables and /etc/sysconfig/iptables-config is just a dummy with comments, no real content. Quote:
rc.local just fires up a thing called bandmin rc.sysinit does a lot of things but nothing that I can see with the firewall. Quote:
Quote:
root@xxxxxxx [/etc/rc.d/rc2.d]# ls -al S08iptables lrwxrwxrwx 1 root root 18 Nov 19 2002 S08iptables -> ../init.d/iptables* root@xxxxxxx [/etc/rc.d/rc2.d]# all the others are K92iptables and they point to the same place. sorry for typing in caps but when I say I tried X and then someone suggests me to try X it makes me think maybe I didn't say it loud enough the first time. I appreciate your help. I'm pretty sure the colo is doing this to us. |
solved it.
turns out we use a wrapper script for iptables with an obscure name hiding in a little corner of the etc which has the rules in it. supergrep found it. I just commented out the rule I didn't want any more, waited 10 minutes, the firewall woke up re-read its config, regenerated iptables, and poof. problem solved. thanks all.... |
All times are GMT -5. The time now is 08:10 PM. |