Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
recently i upgrade my rhel5 kernel from 2.6.18-8.el5 to 2.6.25.Fact is now when i try to start iptables an error came out.
i was trying
Code:
#/etc/init.d/iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [FAILED]
I did not make any change with /etc/sysconfig/iptables file.Moreover after i got this error i use the following command system-config-securitylevel and change according to my need then i try to start again but no luck.
What happens if you apply the configuration manually? Like:
Code:
iptables-restore < /etc/sysconfig/iptables
Does it provide you with an error line number?
I've had sudden load failures of this kind happen to me (without having edited the configuration file) after having deleted a user account for which an iptables rule had been previously created. The configuration would fail to load, due to the non-existent user account. It's just an example, though - there's plenty other reasons why an iptables configuration can fail to load.
Last edited by win32sux; 02-19-2010 at 02:35 AM.
Reason: Spelling.
i checked /etc/sysconfig/iptables file line 21 it contain COMMIT
what does this mean?
To quote Andreasson, it means that "at this point we should commit all rules currently in the pipeline to kernel". So perhaps you could show us everything above this COMMIT?
To quote Andreasson, it means that "at this point we should commit all rules currently in the pipeline to kernel". So perhaps you could show us everything above this COMMIT?
Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
I suspect this could be related to your kernel config (specifically, with regards to the Netfilter modules selected). In other words, a module which was present in the RHEL kernel package, but isn't present in your home-brewed solution. Of course, I'm not sure about this. Could you verify that the Netfilter settings in the config you used to compile are in line with RHEL's? That's pretty much all that occurs to me right now.
I suspect this could be related to your kernel config (specifically, with regards to the Netfilter modules selected). In other words, a module which was present in the RHEL kernel package, but isn't present in your home-brewed solution. Of course, I'm not sure about this. Could you verify that the Netfilter settings in the config you used to compile are in line with RHEL's? That's pretty much all that occurs to me right now.
One thing my learning stage with Linux is still novice could you please explain me how to check Netfilter setting.Though i am using google right now to find about Netfilter.
You could grep the config file you used, for strings like CONFIG_NF_ and NETFILTER, for example.
BTW, it may help if you try each of those rules manually at the command line, in an effort to spot which one (if any) is causing the failure. I think this would be easier to troubleshoot with that information in hand.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.