Solved

new iptables rule not working

Posted on 2014-02-03
3
439 Views
Last Modified: 2014-02-03
Hello Experts,

I just added a new rule to my iptables... however, when I try to telnet to the port using another computer, it doesn't work... but I am able to telnet when I turn off iptables... what am I doing wrong? thanks for your help...

[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p udp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  202 27025 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:25565 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 23 packets, 3419 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
   54  5667 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
   16  1466 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   87  6786 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137 
    9  2114 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445 
   36 10992 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Open in new window

0
Comment
Question by:epifanio67
3 Comments
 
LVL 10

Accepted Solution

by:
acbxyz earned 500 total points
ID: 39830284
Your INPUT chain forks to RH-Firewall-1-INPUT for any traffic. At the end of this subchain there is a reject without a filter. So your ACCEPTs are never reached.
You can see that when you look at the byte and packet counters of your two accept-rules and at the top "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"

The best would be to find out where this reject is written and move it to the first INPUT chain. Then you can add your accept to RH-Firewall-1-INPUT.

Without a change of your base set you cannot use -A, but you can -I instead.
iptables -I INPUT 1 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I INPUT 1 -m state --state NEW -p tcp --dport 25565 -j ACCEPT

or to put it in the sub chain:
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p tcp --dport 25565 -j ACCEPT
15 should be the reject so the lines get inserted right before the last reject
0
 

Author Closing Comment

by:epifanio67
ID: 39830337
it worked...
nice lesson...

Thanks so much for your help...

regards,
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39830341
This is what you need in order to telnet "Port 23"

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Fine Tune your automatic Updates for Ubuntu / Debian
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now