Just another iptables question

I'm trying to set up iptables on CentOS 5.2 but not having luck. This is what it does:

[root@webhost ~]# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw nat mangle filter     [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
[root@webhost ~]# lsmod | grep ip_tables
[root@webhost ~]#

Based on some Googling I've created the following script to set up my rules (I've replaced some of my top secret port numbers with [PortNumber] :)):

#!/bin/bash
# iptables example configuration script

# Flush all current rules from iptables
iptables -F

# Basic rules
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT

# HTTP/Apache
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Email
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT

# MySQL
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT

# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Save settings and list rules
/sbin/service iptables save
iptables -L -v

Any help would be greatly appreciated.

LEC

5 Replies

Why do you think it's not working? "lsmod" shows what modules are loaded. If the iptables is hard-coded into the kernel then it won't load as a module.

% zgrep -i iptables /proc/config.gz
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y

What you need to do is run "iptables -L -n" to check rules are loaded.

Oh, cool. Thank you. I read it somewhere that that's the way to check it but I guess it's not. :)

The only reason I thought it wasn't running is because I can't get in through SSH. I changed the default port to my secret [PortNumber] and for some reason it doesn't work. My ssh_config file looks like this:

Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

# Protocol 2,1
Protocol 2

# Run ssh on a non-standard port:
Port [PortNumber]

And my iptables entry as you saw above is:

# SSH
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT 

When I try to connect I get:

[root@webhost ~]# ssh root@myserver -p [PortNumber]
ssh: connect to host myserver port [PortNumber]: Connection refused

Since your policy is "drop" but you're seeing "connection refused", I'm guessing that either you have other firewall rules in place ('reject') or else your ssh daemon isn't listening on the port you specified.

Did you mean sshdconfig? "sshconfig" is for the client; sshd_config is for the server. Given that you have "SendEnv" lines in there, I'm guessing you modified the wrong ssh configuration file.

You can check with "iptables -L" for the firewall and "netstat -anp" to see if sshd is listening properly.

Yes, I was editing the wrong file. :( Thanks so much for your help. It works now.

On CentOS, you can run service iptables status to view the current rules. The command service iptables save will save the current ruleset in /etc/sysconfig/iptables. You can edit this file, then use service iptables restart to load the rules from there. That ruleset will also be automatically loaded on boot (assuming you have the iptables service set to start in that runlevel).

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct