Solved

new iptables rule not working

Posted on 2014-02-03
3
444 Views
Last Modified: 2014-02-03
Hello Experts,

I just added a new rule to my iptables... however, when I try to telnet to the port using another computer, it doesn't work... but I am able to telnet when I turn off iptables... what am I doing wrong? thanks for your help...

[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p udp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 25565 -j ACCEPT
[root@localhost sbin]# /sbin/iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  202 27025 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:25565 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 23 packets, 3419 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
   54  5667 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
   16  1466 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   87  6786 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137 
    9  2114 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445 
   36 10992 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Open in new window

0
Comment
Question by:epifanio67
3 Comments
 
LVL 10

Accepted Solution

by:
acbxyz earned 500 total points
ID: 39830284
Your INPUT chain forks to RH-Firewall-1-INPUT for any traffic. At the end of this subchain there is a reject without a filter. So your ACCEPTs are never reached.
You can see that when you look at the byte and packet counters of your two accept-rules and at the top "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)"

The best would be to find out where this reject is written and move it to the first INPUT chain. Then you can add your accept to RH-Firewall-1-INPUT.

Without a change of your base set you cannot use -A, but you can -I instead.
iptables -I INPUT 1 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I INPUT 1 -m state --state NEW -p tcp --dport 25565 -j ACCEPT

or to put it in the sub chain:
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p udp --dport 25565 -j ACCEPT
iptables -I  RH-Firewall-1-INPUT 15 -m state --state NEW -p tcp --dport 25565 -j ACCEPT
15 should be the reject so the lines get inserted right before the last reject
0
 

Author Closing Comment

by:epifanio67
ID: 39830337
it worked...
nice lesson...

Thanks so much for your help...

regards,
0
 
LVL 14

Expert Comment

by:comfortjeanius
ID: 39830341
This is what you need in order to telnet "Port 23"

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question