More fun with iptables

UNIX/Linux Network Administration - Rich Simms
Locked
shahram farahbakhsh
Posts: 118
Joined: Wed Sep 05, 2012 5:07 pm

More fun with iptables

Post by shahram farahbakhsh » Mon May 13, 2013 6:48 pm

Maybe I'm the patron saint of iptables matyrdom. Not sure. Anyway, here's what my iptables file on Elrond looks like:

# Generated by iptables-save v1.4.7 on Tue May 7 22:14:11 2013
# Completed on Tue May 7 22:14:11 2013
# Generated by iptables-save v1.4.7 on Tue May 7 22:14:11 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [6:360]
:OUTPUT ACCEPT [266:348887]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 901 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# Completed on Tue May 7 22:14:11 2013
COMMIT
*nat
:PREROUTING ACCEPT [3097:512470]
:POSTROUTING ACCEPT [451:42204]
:OUTPUT ACCEPT [1703:143408]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

When I try service iptables restart, I get this error:

iptables: Applying firewall rules: iptables-restore: line 20 failed
[FAILED]

line 20 is 'COMMIT' just before *nat. I modified this file using vi. I had to make more changes than opening port 25. Very likely, my iptables were flawed from the last lab. In addition to pointing out the source of this problem, does anyone know if there are cases when the iptables file cannot simply be edited....when you actually have to enter iptables commands?

shahram farahbakhsh
Posts: 118
Joined: Wed Sep 05, 2012 5:07 pm

Re: More fun with iptables

Post by shahram farahbakhsh » Mon May 13, 2013 7:01 pm

Solved it.

The problem was with this line: -A INPUT -p udp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Port 22 is to be open for tcp, not udp.

service iptables restart worked with: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Locked

Return to “CIS 192 - Spring 2013”