IPTables not working?

List overview All Threads
Download

newer

older

Mount floppy on startup?

dell sc420 connect to LCD 32" at...

centos＠silverservers.com

25 Aug 2005 25 Aug '05

2:48 p.m.

Hello CentOS,

I'm having a strange situation on one of my servers. I'm running CentOS with all the latest yum updates. It runs fine, but iptables does not seem to be 'consistently' dropping the packets from the IP's I've put a drop rule in for. When I do iptables -L I still see the rule in place:

iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere DROP all -- ip176-0.netcathost.com/24 anywhere

With this rule in place and iptables running, I am now getting the blocked IP's showing up in my apache logs again. this used to work... has something changed?

-- Best regards, Mickael mailto:mikelists@silverservers.com

Show replies by date

Maciej Żenczykowski

25 Aug 25 Aug

3:01 p.m.

...

RH-Firewall-1-INPUT all -- anywhere anywhere DROP all -- ip176-0.netcathost.com/24 anywhere

wrong order - if the RH Firewall accepts it it won't be dropped... you want:

...

Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- ip176-0.netcathost.com/24 anywhere RH-Firewall-1-INPUT all -- anywhere anywhere

Sean O'Connell

4:15 p.m.

On Thu, 2005-08-25 at 07:48 -0700, centos@silverservers.com wrote:

...

Hello CentOS,

I'm having a strange situation on one of my servers. I'm running CentOS with all the latest yum updates. It runs fine, but iptables does not seem to be 'consistently' dropping the packets from the IP's I've put a drop rule in for. When I do iptables -L I still see the rule in place:

iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere DROP all -- ip176-0.netcathost.com/24 anywhere

With this rule in place and iptables running, I am now getting the blocked IP's showing up in my apache logs again. this used to work... has something changed?

Rather than posting the output of iptables -L, could you send the file /etc/sysconfig/iptables to the list.

Also, what happens if you restart iptables?

/sbin/service iptables restart

Any errors?

Sean

-- Sean O'Connell Office of Engineering Computing oconnell@soe.ucsd.edu Jacobs School of Engineering, UCSD 858.534.9716 (49716)

Mike

4:50 p.m.

New subject: Re[2]: IPTables not working?

Hello Sean,

/etc/init.d/iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_ftp [ OK ]

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT

Of course, when I restart, the rule I entered with: iptables -A RH-Firewall-1-INPUT -s 195.225.176.0/24 -j DROP

-- Best regards, Mike mailto:centos@silverservers.com Thursday, August 25, 2005, 9:15:01 AM, you wrote: > On Thu, 2005-08-25 at 07:48 -0700, centos@silverservers.com wrote: >> Hello CentOS, >> >> I'm having a strange situation on one of my servers. I'm running >> CentOS with all the latest yum updates. It runs fine, but iptables >> does not seem to be 'consistently' dropping the packets from the IP's >> I've put a drop rule in for. When I do iptables -L I still see the >> rule in place: >> >> iptables -L >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> RH-Firewall-1-INPUT all -- anywhere anywhere >> DROP all -- ip176-0.netcathost.com/24 anywhere >> >> With this rule in place and iptables running, I am now getting the >> blocked IP's showing up in my apache logs again. this used to work... >> has something changed? >> > Rather than posting the output of iptables -L, could you send the > file /etc/sysconfig/iptables to the list. > Also, what happens if you restart iptables? > /sbin/service iptables restart > Any errors? > Sean

Sean O'Connell

5:02 p.m.

New subject: Re[2]: IPTables not working?

Mike-

Try editing /etc/sysconfig/iptables and add your rule very early in the stack (anywhere before the rule that accepts anything destined for port 80), restart iptables, and see if that works. My guess is it's never hitting the rule.

Sean

On Thu, 2005-08-25 at 09:50 -0700, Mike wrote:

...

Hello Sean,

/etc/init.d/iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_ftp [ OK ]

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT

Of course, when I restart, the rule I entered with: iptables -A RH-Firewall-1-INPUT -s 195.225.176.0/24 -j DROP

-- Sean O'Connell Office of Engineering Computing oconnell@soe.ucsd.edu Jacobs School of Engineering, UCSD 858.534.9716 (49716)

Jay Leafey

6:02 p.m.

Mike wrote:

...

Of course, when I restart, the rule I entered with: iptables -A RH-Firewall-1-INPUT -s 195.225.176.0/24 -j DROP

Um, try using

iptables -I RH-Firewall-1-INPUT -s 195.225.176.0/24 -j DROP

instead and see what that does. That's replacing '-A', which appends the rule to the END of the chain, with '-I', which inserts the rule at the HEAD of the chain.

-- Jay Leafey - Memphis, TN jay.leafey@mindless.com

Maciej Żenczykowski

6:51 p.m.

...

iptables -I RH-Firewall-1-INPUT -s 195.225.176.0/24 -j DROP

I think you mean: iptables -I RH-Firewall-1-INPUT 1 -s 195.225.176.0/24 -j DROP

...

instead and see what that does. That's replacing '-A', which appends the rule to the END of the chain, with '-I', which inserts the rule at the HEAD of the chain.

7050

Age (days ago)

7050

Last active (days ago)

discuss@lists.centos.org

6 comments

5 participants

tags (0)

participants (5)

centos＠silverservers.com
Jay Leafey
Maciej Żenczykowski
Mike
Sean O'Connell