[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

IP tables blocking beremote service

Posted on 2010-03-30
13
Medium Priority
?
1,024 Views
Last Modified: 2013-11-16
I am running a Backup Exec remote agent between Linux web server and Windows backup server. When iptables service on Linux is down - backup run OK. But when iptables is on - backups fail.

Attached is my iptables configuration, list of running ports and log from firewall.

Please help!
firewall-log.txt
iptables-status.txt
ports-open.txt
0
Comment
Question by:DENTSU
  • 7
  • 6
13 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 29095432
Typically, the beremote will listen on port 10000.    It looks like your BES server is at 10.0.0.48.   So I think this would work with the addition of the following to your IPTables script, to allow server 10.0.0.48 to hit tcp 10000 on your local host.    

iptables -A INPUT -p tcp -s 10.0.0.48/32 -d 0/0 --destination-port 10000 --syn -j ACCEPT
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 29375704
Did that take care of it for you?
0
 

Author Comment

by:DENTSU
ID: 29820955
Nope - still failing :-( I am loosing hope.
p.s. sorry for the delay
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
LVL 33

Expert Comment

by:MikeKane
ID: 29856772
Make sure you have that allow before any DROP rules.   The script would be run sequentially.  

You could also just open up the full range to that ip using:
iptables -A INPUT -i <iface> -s 10.0.0.48 -j ACCEPT

where iface is the interface that remote BES serer speaks to.  


10.0.0.48 is the remote host correct?  
0
 

Author Comment

by:DENTSU
ID: 30054683
Still doesn't work. Host is correct.
This is really a mystery... Judging by the logs (attached: firewall-log.txt) it seems as the outgoing config is being blocked - am I correct?
0
 

Author Comment

by:DENTSU
ID: 30054733
btw. MikeKane: thanks for your help and for looking into this...
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 30081840
So lets get something straight.    10.0.0.40 is local, then you are correct, and that outbound is being blocked, not inbound.  

So my bad then....  

Adding a rule "iptables -P OUTPUT ACCEPT" will allow all outbound connections from this host.   THat should certainly allow all outbound so use with that knowledge.  
0
 

Author Comment

by:DENTSU
ID: 30202350
Thanks Mike!
I tried but it still doesn't work. I am starting to believe that maybe my whole iptables is somehow broken/corrupted.
I attached the iptables status before and after adding your rule...

iptables-add-output.txt
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 30216723
Would you post your iptables script...   lets edit that instead.   That way you'll flush the rules and reacreate them in the proper order....   plus we can double check for any errors.  
0
 

Author Comment

by:DENTSU
ID: 30515047
Hi Mike - it's attached.
Wow! Thanks again for all your help!

firewall-config.txt
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 30523903
This is the skeleton script  for new IPTABLES setups.     What flavor of Linux are you running?   RH?  

I've added in the items I saw in the text document above....  

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -N RH-Firewall-1-INPUT
# Setup new chain
iptables -A INPUT -j OP-Firewall-1-INPUT
iptables -A FORWARD -j OP-Firewall-1-INPUT
#
# Set access for localhost
#
iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Allow SSH connections on tcp port 22
#
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#
#
# Allow specific items as defined
iptables -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
#
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
#
# Reject everything else
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
#
#
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v
0
 

Author Comment

by:DENTSU
ID: 30652346
Hi Mike,
Thanks again (BIG TIME!). Deployed the script and made sure it got save OK. It is still not working.
I tried to add the rules to allow all the traffic from the specific IP, but still nothing.
I have CentOS (so kind of RedHat).
I will try a few more things and post what I got tomorrow.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 30728940
Sorry I just noticed I had a typo in the script...    

# Setup new chain
iptables -A INPUT -j OP-Firewall-1-INPUT
iptables -A FORWARD -j OP-Firewall-1-INPUT

should be

# Setup new chain
iptables -A INPUT -j RH-Firewall-1-INPUT
iptables -A FORWARD -j RH-Firewall-1-INPUT


Replace that and retry.    Also, with that in place, what do you get in your log?
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question