iptables not chaning ports

Support for security such as Firewalls and securing linux
Post Reply
LinuxLars
Posts: 6
Joined: 2006/03/15 20:47:07
Contact:

iptables not chaning ports

Post by LinuxLars » 2006/03/21 00:04:40

It's been a long long day and I'm probably missing something silly.

We use Fedora all over the place at work, and an iptables script I created works fine on those.

But when I customize it for my new personal Centos 4.2 x86_64 system, running config-2.6.9-34.EL, and run it - no ports change status.

For instance - this script should just allow ping:


#!/bin/bash
echo "Resetting Filewall"

# Make sure we can execute it
if [ ! -x $IPTABLES ]
then
echo "fireall: cannot execute $IPTABLES"
exit 1
fi

# Edit if needed
IPTABLES=/sbin/iptables
echo "iptables location: " ${IPTABLES}

echo "Flushing ${IPTABLES}"
${IPTABLES} -F
${IPTABLES} -N block

# Accept anything from localhost or my IP
${IPTABLES} -A block -s 166.143.1.23 -j ACCEPT
${IPTABLES} -A block -i lo -j ACCEPT

# Allow ping
${IPTABLES} -A block -p icmp -j ACCEPT

${IPTABLES} -A block -j DROP
${IPTABLES} -A INPUT -i eth0 -j block

Yet when I run nmap localhost, the ports I defined in the firewall GUI are still active.

Is there something "special" Centos is doing? Have I been working too long today?

Any info will be greatly appreciated.

jowa
Posts: 75
Joined: 2005/07/10 14:42:39

iptables not chaning ports

Post by jowa » 2006/03/21 03:36:47

[quote]Have I been working too long today?[/quote]
You probably have, Lars. :-D

Let's work through it. First of all, you do a check on IPTABLES before IPTABLES is even defined.
After that, you make a new chain, called "block", which looks OK. Then your nmap test "fails".

Actually, iptables is doing [i]exactly[/i] what you told it to... it checks packages that [b]enter the machine through eth0[/b]:
[code]...
${IPTABLES} -A INPUT -i eth0 -j block
...[/code]
Doing "nmap localhost" won't touch that chain.

Regards, J

LinuxLars
Posts: 6
Joined: 2006/03/15 20:47:07
Contact:

Re: iptables not chaning ports

Post by LinuxLars » 2006/03/21 13:36:00

DOH! You're absolutely right on all counts. Script was messy, iptables works fine when checked over eth0, and yesterday was far too long and hairy.

Thanks for the help. I greatly appreciate it.

Post Reply

Return to “CentOS 4 - Security Support”