Fresh install of Fedora 14, firewall blocking most services
iptables -A INPUT -p tcp --dport 80 -j ACCEPT //apache
````but they don't seem to work.
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore: line 14 failed
[FAILED]
What gives? If I stop iptables, I can access all of my services. I literally just re-installed from a F14 instance that I set up and never had to deal with this!
Can anyone lend a hand?
7 Replies
@hoopycat:
What does "iptables -L -n -v" look like? How about the file that iptables-restore is reading from?
First:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5842 5881K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33 1932 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1113 64847 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4897 packets, 450K bytes)
pkts bytes target prot opt in out source destination
I do not know anything about the file iptables-restore is reading from. But, I found this file /etc/sysconfig/system-config-firewall that may be relevant? Its contents are:
# system-config-firewall config written out by anaconda
--service=ssh
This sounds like some sort of wacky Red Hat-specific problem, but system-config-firewall might yield results too.
Where did you put the "iptables -A INPUT -p tcp –dport 80 -j ACCEPT" line?
@hoopycat:
Yeah, there is no allow rule for port 80 in there.
This sounds like some sort of wacky Red Hat-specific problem, but system-config-firewall might yield results too.
Where did you put the "iptables -A INPUT -p tcp –dport 80 -j ACCEPT" line?
I actually removed it after, as it was giving the error I posted in my first post. I'll re-add it and then re-print that command.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
409 32897 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
75 4228 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 404 packets, 40103 bytes)
pkts bytes target prot opt in out source destination
Contents of /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
-A INPUT -p tcp --dport 80 -j ACCEPT
````
Then restart IPTABLES and see what happens.