Iptables setup problems

I apologize in advance for the length of this post, but I want to include as much info as I can.

It appears there is something fundamentally wrong with my iptables setup. Using the tutorial from the Centos wiki:

http://wiki.centos.org/HowTos/Network/IPTables

The basic initial commands are not working as expected.

Checking to see if iptables is installed: OK

$ rpm -q iptables
iptables-1.3.5-1.2.1

Checking to see if iptables modules are loaded:

I don't know if there is a PATH statement as in DOS, but commands only work if I use the full path. Even so, there don't seem to be modules. I believe I had read that the modules are now integrated in the kernel. Could the call to a nonexistent module directory be part of the problem?

$ su -c 'lsmod | grep ip_tables'
Password: 
bash: lsmod: command not found
$ su -c '/sbin/lsmod | grep ip_tables'
Password: 
Opening /proc/modules: No such file or directory

Trying to list the currently loaded rules:

$ iptables -L
-bash: iptables: command not found
$ /sbin/iptables -L
iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Running the same command as root gives results, but no loaded rules. Iptables not running?

$ su -c '/sbin/iptables -L'
Password: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

This command is supposed to invoke iptables, but it doesn't seem to work:

$ su -c 'system-config-securitylevel'
Password: 
bash: system-config-securitylevel: command not found
$ whereis system-config-securitylevel
system-config-securitylevel:
$ su -c 'whereis system-config-securitylevel'
Password: 
system-config-securitylevel:

Checking iptables status gives puzzling (to me) results.

# /sbin/service iptables status
Table: raw
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination  

Stopping iptables, OK but some error messages:

# /sbin/service iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw nat mangle filter     [  OK  ]
Unloading iptables modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
                                                           [  OK  ]

Starting iptables, OK, but more error messages. Does the final FAILED mean it isn't fully loaded?

# /sbin/service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw nat mangle filter     [  OK  ]
Unloading iptables modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
                                                           [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]

Listing loaded rules now gives results:

# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Site is not reachable.

When iptables is stopped, site is reachable.

Saving iptables results in this:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Apr  1 10:15:26 2008
*raw
:PREROUTING ACCEPT [108:6544]
:OUTPUT ACCEPT [86:13552]
COMMIT
# Completed on Tue Apr  1 10:15:26 2008
# Generated by iptables-save v1.3.5 on Tue Apr  1 10:15:26 2008
*nat
:PREROUTING ACCEPT [28:1344]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Apr  1 10:15:26 2008
# Generated by iptables-save v1.3.5 on Tue Apr  1 10:15:26 2008
*mangle
:PREROUTING ACCEPT [107:6504]
:INPUT ACCEPT [106:6464]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84:12920]
:POSTROUTING ACCEPT [84:12920]
COMMIT
# Completed on Tue Apr  1 10:15:26 2008
# Generated by iptables-save v1.3.5 on Tue Apr  1 10:15:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:11780]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Tue Apr  1 10:15:26 2008

Can anyone see what the problem might be? As long as I use full pathnames when invoking, it seems to load but the webserver is unreachable.

Any help/suggestions would be MUCH appreciated.

-Joyce.

2 Replies

You don't need any modules for your kernel to use iptables. Everything is compiled in. You can edit the "/etc/sysconfig/iptables-config" file to disable the module stuff.

Change the following two options to look like the following:

IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="no"

Concerning your other questions..

You need to be root to run the iptables command.

The "system-config-securitylevel" program is part of some package. You might be able to figure out which one using Google. You can edit the "/etc/sysconfig/iptables" file directly.

You could also use Firehol or some other iptables rule manager type thing. I think there are a few other posts on the forums about that.

I made the changes you suggested, and that seemed to fix the missing modules problem.

As for the other problems, I flushed it all out, and started from scratch, checking each one as I went along. I'm happy to say, it seems stable (for now) and all sites are reachable.

Next, the mail server. Then Movable Type. Then Webmin. Then a stats program. Then some time off .

Thanks again for your help.

-Joyce.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct