| Author |
Message |
istv
Joined: 15 May 2011
Posts: 4
|
| Posted: Sun May 15, 2011 7:38 am Post subject: Fresh install of Fedora 14, firewall blocking most services |
|
|
I've tried adding exceptions found on Google such as: Code: iptables -A INPUT -p tcp --dport 80 -j ACCEPT //apache
but they don't seem to work.
Code:
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore: line 14 failed
[FAILED]
What gives? If I stop iptables, I can access all of my services. I literally just re-installed from a F14 instance that I set up and never had to deal with this!
Can anyone lend a hand? |
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1294
Location: Rochester, New York
|
| Posted: Sun May 15, 2011 9:18 am Post subject: |
|
|
| What does "iptables -L -n -v" look like? How about the file that iptables-restore is reading from? |
|
| Back to top |
|
derfy
Joined: 20 Oct 2010
Posts: 68
|
| Posted: Sun May 15, 2011 10:39 am Post subject: |
|
|
| Stupid question incoming - can you use // style comments? I've only seen the hash mark and the inline --comment used... |
|
| Back to top |
|
istv
Joined: 15 May 2011
Posts: 4
|
| Posted: Sun May 15, 2011 1:29 pm Post subject: |
|
|
hoopycat wrote: What does "iptables -L -n -v" look like? How about the file that iptables-restore is reading from?
First:
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5842 5881K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33 1932 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1113 64847 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4897 packets, 450K bytes)
pkts bytes target prot opt in out source destination
I do not know anything about the file iptables-restore is reading from. But, I found this file /etc/sysconfig/system-config-firewall that may be relevant? Its contents are:
Code:
# system-config-firewall config written out by anaconda
--service=ssh
|
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1294
Location: Rochester, New York
|
| Posted: Sun May 15, 2011 2:22 pm Post subject: |
|
|
Yeah, there is no allow rule for port 80 in there.
This sounds like some sort of wacky Red Hat-specific problem, but system-config-firewall might yield results too.
Where did you put the "iptables -A INPUT -p tcp --dport 80 -j ACCEPT" line? |
|
| Back to top |
|
istv
Joined: 15 May 2011
Posts: 4
|
| Posted: Sun May 15, 2011 2:34 pm Post subject: |
|
|
hoopycat wrote: Yeah, there is no allow rule for port 80 in there.
This sounds like some sort of wacky Red Hat-specific problem, but system-config-firewall might yield results too.
Where did you put the "iptables -A INPUT -p tcp --dport 80 -j ACCEPT" line?
I actually removed it after, as it was giving the error I posted in my first post. I'll re-add it and then re-print that command. |
|
| Back to top |
|
istv
Joined: 15 May 2011
Posts: 4
|
| Posted: Sun May 15, 2011 2:51 pm Post subject: |
|
|
Code: Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
409 32897 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
75 4228 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 404 packets, 40103 bytes)
pkts bytes target prot opt in out source destination
Contents of /etc/sysconfig/iptables
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
-A INPUT -p tcp --dport 80 -j ACCEPT
|
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 469
Location: Colorado, USA
|
| Posted: Sun May 15, 2011 5:06 pm Post subject: |
|
|
Try moving the line dealing with TCP 80 UNDER the line about TCP 22 and OVER the REJECT line.
Then restart IPTABLES and see what happens. |
|
| Back to top |
|
| |
