Ed Ackerman on 28 Nov 2016 20:01:12 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] IPTABLES CentOS 6.8 |
Lets try this again... As requested here is the information On Mon, 28 Nov 2016, bergman@merctech.com wrote:
In the message dated: Sun, 27 Nov 2016 21:01:30 -0500, The pithy ruminations from Ed Ackerman on <[PLUG] IPTABLES CentOS 6.8> were: => [SNIP!] Really, the error message lacks the trailing "e" in the word "name"? Very odd. That seems as if you have no "INPUT" target. That's unusual. What do the following commands show: systemctl status iptables.service iptables -L -n --line-numbers | sed -e "s/\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/444.333.222.111/g" (note that the obfuscation of all IP addressess is great a preserving privacy but makes more specific troubleshooting, um, difficult). Similarly, the INPUT chain defaults to "ACCEPT". Since that's a built-in chain, it should always exist. Ideas? Well, my first idea is that it's extremely difficult to provide meaningful troubleshooting with so little information. It would be helpful if you attached the complete /etc/sysconfig/iptables file. Note "attached", rather than "cut & pasted". I've seen too many instances where incorrect End of Line characters (thing Windows text editor) cause *nix scripts (or text-based input files) to fail in strange ways.
--- #include <std.disclaimer>; | select * from users Ed Ackerman | where users.clue = 1; edack@kengel.com | 0 rows returned
# # systemctl errors assuming "service iptables status" is equivelent # [root@dhcp1 sysconfig]# systemctl status iptables.service -bash: systemctl: command not found [root@dhcp1 sysconfig]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination # # copy of /etc/sysconfig/iptables # # Generated by iptables-save v1.4.7 on Sun Nov 27 16:13:04 2016 *filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s 11.222.333.444/32 -i eth0 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT -A INPUT -s 127.0.0.1/32 -j ACCEPT -A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT <-- This one errors I think -A INPUT -p ipv6 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 67 -j ACCEPT -A INPUT -p udp -m udp --dport 68 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p udp -m udp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT -A INPUT -p tcp -m tcp --dport 123 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT COMMIT # Completed on Sun Nov 27 16:13:04 2016 # Generated by webmin *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed [root@dhcp1 sysconfig]# service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: iptables-restore: line 31 failed [FAILED] [root@dhcp1 sysconfig]# [edack@dhcp1 ~]$ sudo iptables -L -n --line-numbers | sed -e "s/\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/444.333.222.111/g" Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 444.333.222.111 444.333.222.111/0 2 ACCEPT all -- 444.333.222.111/24 444.333.222.111/0 3 ACCEPT all -- 444.333.222.111 444.333.222.111/0 4 ACCEPT 41 -- 444.333.222.111/0 444.333.222.111/0 5 ACCEPT 47 -- 444.333.222.111/0 444.333.222.111/0 6 ACCEPT esp -- 444.333.222.111/0 444.333.222.111/0 7 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:20 8 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:21 9 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:22 10 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:25 11 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:43 12 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:53 13 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:53 14 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:67 15 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:68 16 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:80 17 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:110 18 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:110 19 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:113 20 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:123 21 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:123 22 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:177 23 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:143 24 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:143 25 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:443 26 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:500 27 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:1723 28 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:3143 29 ACCEPT udp -- 444.333.222.111/0 444.333.222.111/0 udp dpt:3270 30 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:3270 31 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:3306 32 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:5900 33 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:8081 34 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:10000 35 ACCEPT tcp -- 444.333.222.111/0 444.333.222.111/0 tcp dpt:20000 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination [edack@dhcp1 ~]$
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug