Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

new iptables rule not working

Posted on 2014-02-03
3
443 Views
Last Modified: 2014-02-03
Hello Experts,

I just added a new rule to my iptables... however, when I try to telnet to the port using another computer, it doesn't work... but I am able to telnet when I turn off iptables... what am I doing wrong? thanks for your help...

[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p udp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  202 27025 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:25565 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 23 packets, 3419 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
   54  5667 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
   16  1466 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   87  6786 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137 
    9  2114 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445 
   36 10992 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Open in new window

0
Comment
Question by:epifanio67
3 Comments
 
LVL 10

Accepted Solution

by:
acbxyz earned 500 total points
ID: 39830284
Your INPUT chain forks to RH-Firewall-1-INPUT for any traffic. At the end of this subchain there is a reject without a filter. So your ACCEPTs are never reached.
You can see that when you look at the byte and packet counters of your two accept-rules and at the top "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"

The best would be to find out where this reject is written and move it to the first INPUT chain. Then you can add your accept to RH-Firewall-1-INPUT.

Without a change of your base set you cannot use -A, but you can -I instead.
iptables -I INPUT 1 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I INPUT 1 -m state --state NEW -p tcp --dport 25565 -j ACCEPT

or to put it in the sub chain:
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p tcp --dport 25565 -j ACCEPT
15 should be the reject so the lines get inserted right before the last reject
0
 

Author Closing Comment

by:epifanio67
ID: 39830337
it worked...
nice lesson...

Thanks so much for your help...

regards,
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39830341
This is what you need in order to telnet "Port 23"

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question