Re: [PLUG] IPTABLES CentOS 6.8

Ed Ackerman on 28 Nov 2016 20:01:12 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] IPTABLES CentOS 6.8

From: Ed Ackerman <edack@kengel.com>
To: Phila Linux Group <plug@lists.phillylinux.org>
Subject: Re: [PLUG] IPTABLES CentOS 6.8
Date: Mon, 28 Nov 2016 23:00:01 -0500 (EST)
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kengel.com; s=default; h=Content-Type:MIME-Version:References:Message-ID:In-Reply-To: Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KOFM+guc+bMRAynKbqlUKn3LYY8fjn4f5Kvc0ioqjEs=; b=vwvBGjAt74i1yorPjtBmweM+Qp OPVJwgefHvJFdFiTRi+ZfvMAnlle1sYWDEs6Ov6lGx7mqdrvOkUYzvT+51NfX3iClbwdMDBIk962p VPYV+9ynytSeQBALqKpQhQ++0ZYIG2xVfvvMPY+LfpNB7FaasBTjsFvnvvKNxaKu9fl8=;
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Alpine 2.20 (LRH 67 2015-01-07)

Lets try this again...

As requested here is the information

On Mon, 28 Nov 2016, bergman@merctech.com wrote:

In the message dated: Sun, 27 Nov 2016 21:01:30 -0500,
The pithy ruminations from Ed Ackerman on
<[PLUG] IPTABLES CentOS 6.8> were:
=>

[SNIP!]


Really, the error message lacks the trailing "e" in the word "name"? Very odd.

That seems as if you have no "INPUT" target. That's unusual. What do the following commands show:

	systemctl status  iptables.service

	iptables -L -n --line-numbers | sed -e "s/\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/444.333.222.111/g"

(note that the obfuscation of all IP addressess is great a preserving
privacy but makes more specific troubleshooting, um, difficult).


Similarly, the INPUT chain defaults to "ACCEPT". Since that's a built-in
chain, it should always exist.

Ideas? Well, my first idea is that it's extremely difficult to provide
meaningful troubleshooting with so little information.

It would be helpful if you attached the complete /etc/sysconfig/iptables file.

Note "attached", rather than "cut & pasted".  I've seen too many instances
where incorrect End of Line characters (thing Windows text editor)
cause *nix scripts (or text-based input files) to fail in strange ways.


---
#include <std.disclaimer>;	| select * from users
Ed Ackerman			|    where users.clue = 1;
edack@kengel.com		| 0 rows returned

#
#  systemctl errors assuming "service iptables status" is equivelent
#

[root@dhcp1 sysconfig]# systemctl status  iptables.service
-bash: systemctl: command not found
[root@dhcp1 sysconfig]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

#
#  copy of /etc/sysconfig/iptables
#

# Generated by iptables-save v1.4.7 on Sun Nov 27 16:13:04 2016
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 11.222.333.444/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT <-- This one errors I think
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
COMMIT
# Completed on Sun Nov 27 16:13:04 2016
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

[root@dhcp1 sysconfig]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore: line 31 failed
                                                           [FAILED]
[root@dhcp1 sysconfig]# 


[edack@dhcp1 ~]$ sudo iptables -L -n --line-numbers | sed -e "s/\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/444.333.222.111/g"
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  444.333.222.111       444.333.222.111/0           
2    ACCEPT     all  --  444.333.222.111/24       444.333.222.111/0           
3    ACCEPT     all  --  444.333.222.111            444.333.222.111/0           
4    ACCEPT     41   --  444.333.222.111/0            444.333.222.111/0           
5    ACCEPT     47   --  444.333.222.111/0            444.333.222.111/0           
6    ACCEPT     esp  --  444.333.222.111/0            444.333.222.111/0           
7    ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:20 
8    ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:21 
9    ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:22 
10   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:25 
11   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:43 
12   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:53 
13   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:53 
14   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:67 
15   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:68 
16   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:80 
17   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:110 
18   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:110 
19   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:113 
20   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:123 
21   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:123 
22   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:177 
23   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:143 
24   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:143 
25   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:443 
26   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:500 
27   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:1723 
28   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:3143 
29   ACCEPT     udp  --  444.333.222.111/0            444.333.222.111/0           udp dpt:3270 
30   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:3270 
31   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:3306 
32   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:5900 
33   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:8081 
34   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:10000 
35   ACCEPT     tcp  --  444.333.222.111/0            444.333.222.111/0           tcp dpt:20000 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
[edack@dhcp1 ~]$

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] IPTABLES CentOS 6.8
  - From: "Gavin W. Burris" <bug@wharton.upenn.edu>
- Re: [PLUG] IPTABLES CentOS 6.8
  - From: Robert <mlists@zoominternet.net>
- Re: [PLUG] IPTABLES CentOS 6.8
  - From: Clay Wells <clayw@sas.upenn.edu>

References:
- [PLUG] IPTABLES CentOS 6.8
  - From: Ed Ackerman <edack@kengel.com>

Prev by Date: [PLUG] Announce: Exton crypto currency / blockchain meetup
Next by Date: Re: [PLUG] Philadelphia AWS User's Group
Previous by thread: Re: [PLUG] IPTABLES CentOS 6.8
Next by thread: Re: [PLUG] IPTABLES CentOS 6.8
Index(es):
- Date
- Thread