LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-22-2008, 11:27 AM   #1
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Rep: Reputation: 39
Question iptables -L returns no rules but i know they are there?? what gives


Hi All,
I've seen this before and never done anything about it, but i have written iptables rules before and run them so that they are running on the server, and i test that they are running as expected but running an iptables -L or iptables --list shows me an empty list. even though the packets are being filtered correctly.
Has anyone else come across this before??

Regards,
 
Old 10-22-2008, 03:32 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Did you compile iptables on your own or is it a distro-provided package? What package version? What distro?

What test method are you using to check that the packet filter is working properly?
 
Old 10-22-2008, 03:41 PM   #3
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Rep: Reputation: 43
are you running the iptables -L command as root?
 
Old 10-22-2008, 03:57 PM   #4
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by win32sux View Post
Did you compile iptables on your own or is it a distro-provided package? What package version? What distro?

What test method are you using to check that the packet filter is working properly?
SLES 10, with iptables already installed as default.

Using telnet from an IP address not permitted to try and connect to ports locked out and this works fine. ie the computer is locked out... different computer isn't locked out and i've set it so that other computer isn't locked out so its working fine.

Quote:
are you running the iptables -L command as root?
Absolutely, i've written a few of IP tables firewalls before so i like to think i'm a little good at it... at least when doing the simple things anyway :-)

Not that i think it makes any difference, but i just have all the IP tables commands in a file and i execute the file 'as root of course' when i want to put the firewall in place (whether on system boot-up or generally at the moment usually after system boot and i execute it myself). I haven't been doing it using iptables-save and ptables-restore. Other servers of the same distro are able to display the listing fine.

Thanks for replying,
Regards

Last edited by helptonewbie; 10-22-2008 at 04:01 PM.
 
Old 10-22-2008, 04:11 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
When you say that it shows you an empty list, what exactly do you mean?

Could you show us exactly what the output looks like?
 
Old 10-22-2008, 04:31 PM   #6
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Yes sorry i guess it would help...

Code:
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Now this iptables set-up on this server actually has one rule and that is to forward/re-route anything trying to connect to port 80 to 8080, and this runs perfectly fine and is executed by this command that is run on server boot-up inside a init.d script:-
Code:
#!/bin/bash
#
# /etc/init.d/XXXXXfirewall
#
### BEGIN INIT INFO
# Provides: iptablesFirewallPortRoutingS
# Required-Start: $network
# Required-Stop: 
# Should-Stop: 
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Description: Is used to create rules in ip tables enabling XxxxXxxxX proxy to run on port 8080 instead of 80 through iptable redirect
### END INIT INFO

FWALL_RESTORE_FILE=/etc/sysconfig/iptables

test ! -x $FWALL_RESTORE_FILE || exit 5
. /etc/rc.status

rc_reset

case "$1" in
    start)
	echo -n "Adding firewall Rules to IPtables "
	cat $FWALL_RESTORE_FILE | iptables-restore
        rc_status -v
	;;
    *)
	echo "Usage: $0 {start}"
	exit 1
	;;
esac

# Set exit status
rc_exit
The firewall file itself (created with iptables-save of course):-
Code:
# Generated by iptables-save v1.3.5 on Tue Feb 19 11:40:39 2008
*nat
:PREROUTING ACCEPT [10:688]
:POSTROUTING ACCEPT [3:637]
:OUTPUT ACCEPT [3:637]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 
COMMIT
# Completed on Tue Feb 19 11:40:39 2008
This all works as expected but as you can see, certainly isn't complicated and doesn't show in the list. I have other servers like i said where i don't use the iptables-save and restore method where i get the same problem and then other servers again that are able to list without problem. where the other servers are much more complex firewalls where packets are dropped etc etc, i know they are working also as the dropped packets i make sure are logged before being dropped so i can look at what has tried to connect etc etc

Cheers,
Regards

Last edited by helptonewbie; 10-22-2008 at 04:34 PM.
 
Old 10-22-2008, 04:50 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by helptonewbie View Post
Now this iptables set-up on this server actually has one rule and that is to forward/re-route anything trying to connect to port 80 to 8080, and this runs perfectly fine [...]
That wouldn't show up in the output of "iptables -L", as the PREROUTING chain is in the nat table. The "-L" option will show only the filter table by default. You can specify that you want to see the nat table like:
Code:
iptables -L -t nat
 
Old 10-22-2008, 05:27 PM   #8
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
wow, ok hmmm. I never knew that, can't believe i've not come across it before. I'm still not sure why it doesn't work on other servers but yes that showed the list as it should be for those rules. Which is great thanks for that.

I think that will be enough i can move on from there, i need to look more into this obviously.

Thanks for your help,
Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM
iptables rules ComputerHermit_ Linux - Security 9 04-11-2007 07:50 AM
need help with iptables rules asimov Linux - Security 2 07-19-2006 03:44 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 01:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration