CentOs 4 Hang up with iptables

Issues related to software problems
Emito
Posts: 14
Joined: 2005/01/21 19:41:32

CentOs 4 Hang up with iptables

Post by Emito » 2005/05/20 16:23:43

If I boot with the DVD of CentOs on Rescue mode and I delete the /etc/sysconfig/iptables file,
everything works great.
Then I execute my script of iptables and still work fine
when I do iptables-save > /etc/sysconfig/iptables, and reboot , the system hang up loading
the firewall rules.
I disable selinux and arptables_jf and the system continue hang up on the firewall rules.

Any ideas ? help please
Emiliano

cormander
Posts: 100
Joined: 2005/05/16 21:27:57
Location: Utah
Contact:

Re: CentOs 4 Hang up with iptables

Post by cormander » 2005/05/20 16:30:26

When I first read your post I thought you were saying your system hangs when iptables tries to restore its rules, now that I've read it again I'm not sure.

Does your whole system hang? Or do your iptables rules simply not get implemented?

You might want to check to see if iptables is set to start on boot,

[code]
chkconfig --list iptables
[/code]

Let us know the output.

Emito
Posts: 14
Joined: 2005/01/21 19:41:32

Re: CentOs 4 Hang up with iptables

Post by Emito » 2005/05/20 16:33:38

The complete system Hang Ups!!!.
And yes, the iptables is ON

[root@vader emiliano]# chkconfig --list iptables
iptables 0:desactivado 1:desactivado 2:activo 3:activo 4:activo 5:activo 6:desactivado

cormander
Posts: 100
Joined: 2005/05/16 21:27:57
Location: Utah
Contact:

Re: CentOs 4 Hang up with iptables

Post by cormander » 2005/05/20 16:48:24

Quite the pickle you've got there.

Please post the iptables-save /etc/sysconfig/iptables file here so I can test your firewall rules on my CentOS machine to see if that is the problem.

Emito
Posts: 14
Joined: 2005/01/21 19:41:32

Re: CentOs 4 Hang up with iptables

Post by Emito » 2005/05/20 16:54:46

Thanks Cormander
The Pc has 2 network cards, just for the record.

iptables-save

# Generated by iptables-save v1.2.11 on Fri May 20 13:48:54 2005
*mangle
:PREROUTING ACCEPT [52:4690]
:INPUT ACCEPT [52:4690]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [73:4336]
:POSTROUTING ACCEPT [73:4336]
COMMIT
# Completed on Fri May 20 13:48:54 2005
# Generated by iptables-save v1.2.11 on Fri May 20 13:48:54 2005
*nat
:PREROUTING DROP [0:0]
:POSTROUTING DROP [0:0]
:OUTPUT DROP [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 999
-A PREROUTING -s 13.0.0.0/255.0.0.0 -d 13.30.0.1 -j ACCEPT
-A PREROUTING -s 13.0.0.0/255.0.0.0 -j ACCEPT
-A PREROUTING -d 13.30.0.2 -p tcp -m tcp --dport 25 -j LOG
-A PREROUTING -d 13.30.0.2 -p tcp -m tcp --dport 25 -j ACCEPT
-A PREROUTING -p icmp -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -s 13.0.0.0/255.0.0.0 -d 13.0.0.0/255.0.0.0 -j ACCEPT
-A POSTROUTING -s 13.30.0.2 -p tcp -m tcp --dport 25 -j LOG
-A POSTROUTING -s 13.30.0.2 -p tcp -m tcp --dport 25 -j ACCEPT
-A POSTROUTING -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -s 13.30.0.2 -j ACCEPT
-A OUTPUT -s 13.0.0.0/255.0.0.0 -d 13.0.0.0/255.0.0.0 -j ACCEPT
COMMIT
# Completed on Fri May 20 13:48:54 2005
# Generated by iptables-save v1.2.11 on Fri May 20 13:48:54 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 13.0.0.0/255.0.0.0 -d 13.0.0.0/255.0.0.0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! eth1 -m state --state NEW -j ACCEPT
-A INPUT -s 13.30.0.1 -i eth1 -j ACCEPT
-A INPUT -s 13.0.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -i eth1 -p icmp -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j LOG
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -d 13.0.0.0/255.0.0.0 -i eth1 -o eth0 -j ACCEPT
-A OUTPUT -s 13.0.0.0/255.0.0.0 -d 13.0.0.0/255.0.0.0 -j ACCEPT
-A OUTPUT -s 13.30.0.2 -j ACCEPT
-A OUTPUT -s 13.30.0.2 -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT
# Completed on Fri May 20 13:48:54 2005

Emito
Posts: 14
Joined: 2005/01/21 19:41:32

Re: CentOs 4 Hang up with iptables

Post by Emito » 2005/05/20 17:06:12

woouu, there is something wrong with this script.
It shouldnt because I copy these script from another box ( with RH 9 ).
Now i flush all the rules, and put the policy ACCEPT, to all.
Make a iptables-save > /etc/sysconfig/iptables
Restart, and work ( off course without rules ).
It's rare, because a bad iptables script Never HangUp a Pc before to Me.
Well, I try to find the error....
Emiliano.

Emito
Posts: 14
Joined: 2005/01/21 19:41:32

Re: CentOs 4 Hang up with iptables

Post by Emito » 2005/05/20 17:56:10

If you want, I attach the iptables script, it's more easy to read than the iptables-save format.
regards, Emiliano.

Emito
Posts: 14
Joined: 2005/01/21 19:41:32

Re: CentOs 4 Hang up with iptables

Post by Emito » 2005/05/20 20:34:52

Now, I put my iptables script to load on rc.local.

And still hang up ( the X doesn't start, but I have network )
Any Ideas ???


It's only this. VERY, VERY SIMPLY. Only 5 rules. ( without Flush and drop )
----------------------------------------------------
IPTABLES=/sbin/iptables

# Tarjeta a Inet
ETH_INET=eth1
ETH_INET_IP=13.30.0.2

# Tarjeta LAN
ETH_LAN=eth0
ETH_LAN_IP=13.30.0.1

# Mi Red
MIRED=13.0.0.0/8

#todo
any=0.0.0.0/0

# -------------------------
# REINICIALIZO LAS REGLAS
$IPTABLES -F
$IPTABLES -F -t nat
#$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -X -t nat
#$IPTABLES -X -t mangle

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# NAT
$IPTABLES -t nat -P OUTPUT DROP
$IPTABLES -t nat -P POSTROUTING DROP
$IPTABLES -t nat -P PREROUTING DROP

# Reglas de aceptacion...

# Le dejo acceso desde mi red
$IPTABLES -A INPUT -s $MIRED -d $MIRED -j ACCEPT
$IPTABLES -A OUTPUT -s $MIRED -d $MIRED -j ACCEPT
#ssh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 22 -j ACCEPT

cormander
Posts: 100
Joined: 2005/05/16 21:27:57
Location: Utah
Contact:

Re: CentOs 4 Hang up with iptables

Post by cormander » 2005/05/20 21:13:06

It doesn't look like you're telling the firewall to accept all traffic on the local interface anywhere.

Try adding the following after you tell IPTABLES to drop everything:

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

hughesjr
Site Admin
Posts: 251
Joined: 2004/12/05 01:51:26
Location: Corpus Christi, Texas, USA
Contact:

CentOs 4 Hang up with iptables

Post by hughesjr » 2005/05/22 03:26:41

You may also need to add this to your input chain for centos-4 (as the new 2.6 kernel uses an iptables that uses STATES):

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Post Reply

Return to “CentOS 4 - Software Support”