IP tables blocking beremote service

I am running a Backup Exec remote agent between Linux web server and Windows backup server. When iptables service on Linux is down - backup run OK. But when iptables is on - backups fail.

Attached is my iptables configuration, list of running ports and log from firewall.

Please help!
firewall-log.txt
iptables-status.txt
ports-open.txt
DENTSUAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Typically, the beremote will listen on port 10000.    It looks like your BES server is at 10.0.0.48.   So I think this would work with the addition of the following to your IPTables script, to allow server 10.0.0.48 to hit tcp 10000 on your local host.    

iptables -A INPUT -p tcp -s 10.0.0.48/32 -d 0/0 --destination-port 10000 --syn -j ACCEPT
0
MikeKaneCommented:
Did that take care of it for you?
0
DENTSUAuthor Commented:
Nope - still failing :-( I am loosing hope.
p.s. sorry for the delay
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

MikeKaneCommented:
Make sure you have that allow before any DROP rules.   The script would be run sequentially.  

You could also just open up the full range to that ip using:
iptables -A INPUT -i <iface> -s 10.0.0.48 -j ACCEPT

where iface is the interface that remote BES serer speaks to.  


10.0.0.48 is the remote host correct?  
0
DENTSUAuthor Commented:
Still doesn't work. Host is correct.
This is really a mystery... Judging by the logs (attached: firewall-log.txt) it seems as the outgoing config is being blocked - am I correct?
0
DENTSUAuthor Commented:
btw. MikeKane: thanks for your help and for looking into this...
0
MikeKaneCommented:
So lets get something straight.    10.0.0.40 is local, then you are correct, and that outbound is being blocked, not inbound.  

So my bad then....  

Adding a rule "iptables -P OUTPUT ACCEPT" will allow all outbound connections from this host.   THat should certainly allow all outbound so use with that knowledge.  
0
DENTSUAuthor Commented:
Thanks Mike!
I tried but it still doesn't work. I am starting to believe that maybe my whole iptables is somehow broken/corrupted.
I attached the iptables status before and after adding your rule...

iptables-add-output.txt
0
MikeKaneCommented:
Would you post your iptables script...   lets edit that instead.   That way you'll flush the rules and reacreate them in the proper order....   plus we can double check for any errors.  
0
DENTSUAuthor Commented:
Hi Mike - it's attached.
Wow! Thanks again for all your help!

firewall-config.txt
0
MikeKaneCommented:
This is the skeleton script  for new IPTABLES setups.     What flavor of Linux are you running?   RH?  

I've added in the items I saw in the text document above....  

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -N RH-Firewall-1-INPUT
# Setup new chain
iptables -A INPUT -j OP-Firewall-1-INPUT
iptables -A FORWARD -j OP-Firewall-1-INPUT
#
# Set access for localhost
#
iptables -A RH-Firewall-1-INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Allow SSH connections on tcp port 22
#
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#
#
# Allow specific items as defined
iptables -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
#
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
#
# Reject everything else
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
#
#
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DENTSUAuthor Commented:
Hi Mike,
Thanks again (BIG TIME!). Deployed the script and made sure it got save OK. It is still not working.
I tried to add the rules to allow all the traffic from the specific IP, but still nothing.
I have CentOS (so kind of RedHat).
I will try a few more things and post what I got tomorrow.
0
MikeKaneCommented:
Sorry I just noticed I had a typo in the script...    

# Setup new chain
iptables -A INPUT -j OP-Firewall-1-INPUT
iptables -A FORWARD -j OP-Firewall-1-INPUT

should be

# Setup new chain
iptables -A INPUT -j RH-Firewall-1-INPUT
iptables -A FORWARD -j RH-Firewall-1-INPUT


Replace that and retry.    Also, with that in place, what do you get in your log?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.