Linode Forum
https://forum.linode.com/

Fresh install of Fedora 14, firewall blocking most services
https://forum.linode.com/viewtopic.php?f=19&t=7115		 Page 1 of 1
Author:  istv [ Sun May 15, 2011 8:38 am ]
Post subject:  Fresh install of Fedora 14, firewall blocking most services
I've tried adding exceptions found on Google such as:
Code:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT    //apache
but they don't seem to work.
Code:
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore: line 14 failed
                                                           [FAILED]



What gives? If I stop iptables, I can access all of my services. I literally just re-installed from a F14 instance that I set up and never had to deal with this!

Can anyone lend a hand?
Author:  hoopycat [ Sun May 15, 2011 10:18 am ]
Post subject: 
What does "iptables -L -n -v" look like? How about the file that iptables-restore is reading from?
Author:  derfy [ Sun May 15, 2011 11:39 am ]
Post subject: 
Stupid question incoming - can you use // style comments? I've only seen the hash mark and the inline --comment used...
Author:  istv [ Sun May 15, 2011 2:29 pm ]
Post subject: 
hoopycat wrote:
What does "iptables -L -n -v" look like? How about the file that iptables-restore is reading from?


First:
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 5842 5881K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
   33  1932 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
 1113 64847 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4897 packets, 450K bytes)
 pkts bytes target     prot opt in     out     source               destination


I do not know anything about the file iptables-restore is reading from. But, I found this file /etc/sysconfig/system-config-firewall that may be relevant? Its contents are:


Code:
# system-config-firewall config written out by anaconda

--service=ssh
Author:  hoopycat [ Sun May 15, 2011 3:22 pm ]
Post subject: 
Yeah, there is no allow rule for port 80 in there.

This sounds like some sort of wacky Red Hat-specific problem, but system-config-firewall might yield results too.

Where did you put the "iptables -A INPUT -p tcp --dport 80 -j ACCEPT" line?
Author:  istv [ Sun May 15, 2011 3:34 pm ]
Post subject: 
hoopycat wrote:
Yeah, there is no allow rule for port 80 in there.

This sounds like some sort of wacky Red Hat-specific problem, but system-config-firewall might yield results too.

Where did you put the "iptables -A INPUT -p tcp --dport 80 -j ACCEPT" line?


I actually removed it after, as it was giving the error I posted in my first post. I'll re-add it and then re-print that command.
Author:  istv [ Sun May 15, 2011 3:51 pm ]
Post subject: 
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
  409 32897 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    6   240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
   75  4228 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 404 packets, 40103 bytes)
 pkts bytes target     prot opt in     out     source               destination


Contents of /etc/sysconfig/iptables

Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
-A INPUT -p tcp --dport 80 -j ACCEPT
Author:  vonskippy [ Sun May 15, 2011 6:06 pm ]
Post subject: 
Try moving the line dealing with TCP 80 UNDER the line about TCP 22 and OVER the REJECT line.

Then restart IPTABLES and see what happens.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/