Linode Forum
https://forum.linode.com/

Just another iptables question
https://forum.linode.com/viewtopic.php?f=19&t=4542		 Page 1 of 1
Author:  lec [ Sun Aug 23, 2009 11:08 am ]
Post subject:  Just another iptables question
I'm trying to set up iptables on CentOS 5.2 but not having luck. This is what it does:
Code:
[root@webhost ~]# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: raw nat mangle filter     [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
[root@webhost ~]# lsmod | grep ip_tables
[root@webhost ~]#

Based on some Googling I've created the following script to set up my rules (I've replaced some of my top secret port numbers with [PortNumber] :)):
Code:
#!/bin/bash
# iptables example configuration script

# Flush all current rules from iptables
iptables -F

# Basic rules
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT

# HTTP/Apache
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Email
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT

# MySQL
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT

# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Save settings and list rules
/sbin/service iptables save
iptables -L -v

Any help would be greatly appreciated.

LEC
Author:  sweh [ Sun Aug 23, 2009 2:04 pm ]
Post subject: 
Why do you think it's not working? "lsmod" shows what modules are loaded. If the iptables is hard-coded into the kernel then it won't load as a module.
Code:
% zgrep -i iptables /proc/config.gz
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y


What you need to do is run "iptables -L -n" to check rules are loaded.
Author:  lec [ Sun Aug 23, 2009 3:52 pm ]
Post subject: 
Oh, cool. Thank you. I read it somewhere that that's the way to check it but I guess it's not. :)

The only reason I thought it wasn't running is because I can't get in through SSH. I changed the default port to my secret [PortNumber] and for some reason it doesn't work. My ssh_config file looks like this:
Code:
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

# Protocol 2,1
Protocol 2

# Run ssh on a non-standard port:
Port [PortNumber]

And my iptables entry as you saw above is:
Code:
# SSH
iptables -A INPUT -p tcp --dport [PortNumber] -j ACCEPT

When I try to connect I get:
Code:
[root@webhost ~]# ssh root@myserver -p [PortNumber]
ssh: connect to host myserver port [PortNumber]: Connection refused
Author:  sweh [ Sun Aug 23, 2009 3:58 pm ]
Post subject: 
Since your policy is "drop" but you're seeing "connection refused", I'm guessing that either you have other firewall rules in place ('reject') or else your ssh daemon isn't listening on the port you specified.

Did you mean sshd_config? "ssh_config" is for the client; sshd_config is for the server. Given that you have "SendEnv" lines in there, I'm guessing you modified the wrong ssh configuration file.

You can check with "iptables -L" for the firewall and "netstat -anp" to see if sshd is listening properly.
Author:  lec [ Sun Aug 23, 2009 4:14 pm ]
Post subject: 
Yes, I was editing the wrong file. :( Thanks so much for your help. It works now.
Author:  Vance [ Sun Aug 23, 2009 7:57 pm ]
Post subject: 
On CentOS, you can run service iptables status to view the current rules. The command service iptables save will save the current ruleset in /etc/sysconfig/iptables. You can edit this file, then use service iptables restart to load the rules from there. That ruleset will also be automatically loaded on boot (assuming you have the iptables service set to start in that runlevel).
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/