Solved

new iptables rule not working

Posted on 2014-02-03
3
450 Views
Last Modified: 2014-02-03
Hello Experts,

I just added a new rule to my iptables... however, when I try to telnet to the port using another computer, it doesn't work... but I am able to telnet when I turn off iptables... what am I doing wrong? thanks for your help...

[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p udp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  202 27025 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:25565 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 23 packets, 3419 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
   54  5667 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
   16  1466 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   87  6786 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137 
    9  2114 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445 
   36 10992 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Open in new window

0
Comment
Question by:epifanio67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 10

Accepted Solution

by:
acbxyz earned 500 total points
ID: 39830284
Your INPUT chain forks to RH-Firewall-1-INPUT for any traffic. At the end of this subchain there is a reject without a filter. So your ACCEPTs are never reached.
You can see that when you look at the byte and packet counters of your two accept-rules and at the top "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"

The best would be to find out where this reject is written and move it to the first INPUT chain. Then you can add your accept to RH-Firewall-1-INPUT.

Without a change of your base set you cannot use -A, but you can -I instead.
iptables -I INPUT 1 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I INPUT 1 -m state --state NEW -p tcp --dport 25565 -j ACCEPT

or to put it in the sub chain:
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p tcp --dport 25565 -j ACCEPT
15 should be the reject so the lines get inserted right before the last reject
0
 

Author Closing Comment

by:epifanio67
ID: 39830337
it worked...
nice lesson...

Thanks so much for your help...

regards,
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39830341
This is what you need in order to telnet "Port 23"

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question