Iptables setup problems
It appears there is something fundamentally wrong with my iptables setup. Using the tutorial from the Centos wiki:
http://wiki.centos.org/HowTos/Network/IPTables
The basic initial commands are not working as expected.
Checking to see if iptables is installed: OK
$ rpm -q iptables
iptables-1.3.5-1.2.1
Checking to see if iptables modules are loaded:
I don't know if there is a PATH statement as in DOS, but commands only work if I use the full path. Even so, there don't seem to be modules. I believe I had read that the modules are now integrated in the kernel. Could the call to a nonexistent module directory be part of the problem?
$ su -c 'lsmod | grep ip_tables'
Password:
bash: lsmod: command not found
$ su -c '/sbin/lsmod | grep ip_tables'
Password:
Opening /proc/modules: No such file or directory
Trying to list the currently loaded rules:
$ iptables -L
-bash: iptables: command not found
$ /sbin/iptables -L
iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Running the same command as root gives results, but no loaded rules. Iptables not running?
$ su -c '/sbin/iptables -L'
Password:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This command is supposed to invoke iptables, but it doesn't seem to work:
$ su -c 'system-config-securitylevel'
Password:
bash: system-config-securitylevel: command not found
$ whereis system-config-securitylevel
system-config-securitylevel:
$ su -c 'whereis system-config-securitylevel'
Password:
system-config-securitylevel:
Checking iptables status gives puzzling (to me) results.
# /sbin/service iptables status
Table: raw
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Stopping iptables, OK but some error messages:
# /sbin/service iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: raw nat mangle filter [ OK ]
Unloading iptables modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
[ OK ]
Starting iptables, OK, but more error messages. Does the final FAILED mean it isn't fully loaded?
# /sbin/service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: raw nat mangle filter [ OK ]
Unloading iptables modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
[ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]
Listing loaded rules now gives results:
# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Site is not reachable.
When iptables is stopped, site is reachable.
Saving iptables results in this:
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Apr 1 10:15:26 2008
*raw
:PREROUTING ACCEPT [108:6544]
:OUTPUT ACCEPT [86:13552]
COMMIT
# Completed on Tue Apr 1 10:15:26 2008
# Generated by iptables-save v1.3.5 on Tue Apr 1 10:15:26 2008
*nat
:PREROUTING ACCEPT [28:1344]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Apr 1 10:15:26 2008
# Generated by iptables-save v1.3.5 on Tue Apr 1 10:15:26 2008
*mangle
:PREROUTING ACCEPT [107:6504]
:INPUT ACCEPT [106:6464]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84:12920]
:POSTROUTING ACCEPT [84:12920]
COMMIT
# Completed on Tue Apr 1 10:15:26 2008
# Generated by iptables-save v1.3.5 on Tue Apr 1 10:15:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:11780]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Apr 1 10:15:26 2008
Can anyone see what the problem might be? As long as I use full pathnames when invoking, it seems to load but the webserver is unreachable.
Any help/suggestions would be MUCH appreciated.
-Joyce.
2 Replies
Change the following two options to look like the following:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="no"
Concerning your other questions..
You need to be root to run the iptables command.
The "system-config-securitylevel" program is part of some package. You might be able to figure out which one using Google. You can edit the "/etc/sysconfig/iptables" file directly.
You could also use Firehol or some other iptables rule manager type thing. I think there are a few other posts on the forums about that.
As for the other problems, I flushed it all out, and started from scratch, checking each one as I went along. I'm happy to say, it seems stable (for now) and all sites are reachable.
Next, the mail server. Then Movable Type. Then Webmin. Then a stats program. Then some time off
Thanks again for your help.
-Joyce.