iptables causing failed connections to server

athemiya · Post by **athemiya** » 2013/08/09 15:30:41

Hi guys,

So, Centos version is 5.6 and I was playing around with iptables-config at the time. I took out the original netbios module, saved the iptables and restarted the service.

When I did this, you could no longer reach the server and httpd broke. I replaced the module back, (thinking it may have been ip_conntrack_netbios_ns") and restarted iptables.

Still, you couldn't reach the server. On stopping the iptables service, the site loads fine. Clearly iptables on load now for some reason breaks the httpd/connection to the server.

My question is this:

is the module correct: "ip_conntrack_netbios_ns" for this version of CentOS and if it is, what should be thinking about if there is nothing I can see in /var/log/messages?

Thanks in advance :)

Athemiya :-D

Post by **TrevorH** » 2013/08/09 17:15:43

As you suspect, ip_conntrack_netbios_ns is nothing to do with httpd nor with ssh, it tracks netbios nameserver connections. If you aren't running samba then you don't need it.

As for what's actually wrong, you'll need to post the contents of /etc/sysconfig/iptables for anyone to help.

athemiya · Post by **athemiya** » 2013/08/12 08:53:31

Hi Trevior,

Sorry, please find below:

# Generated by iptables-save v1.3.5 on Fri Aug 9 15:47:10 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [661:190542]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Aug 9 15:47:10 2013
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

Thoughts?

Thanks in advance.

Athemiya

Post by **TrevorH** » 2013/08/12 09:51:13

You have no rule to allow http traffic on port 80 or https traffic on port 443. You'll need to use `iptables -I RH-Firewall-1-INPUT ....` to add a rule that looks similar to "-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT" but for port 80. If you use https then repeat that for port 443. Once it's working, don't forget to run `service iptables save` to save the new, running, rules to /etc/sysconfig/iptables so that they are restored correctly next time you restart.

athemiya · Post by **athemiya** » 2013/08/12 13:52:50

Ridiculous. I never deleted that, so goodness knows why it decided to gut out port 80!

Thanks Trevor.

Athemiya.

CentOS