IPtables not running - RHEL7 64bit

Gurus,

It doesn't appear the IPtables service is running?? Any help on what I should for would be great.

[root@waglago iptables]# service iptables status
Redirecting to /bin/systemctl status  iptables.service
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
   Active: active (exited) since Tue 2015-04-21 10:10:42 EDT; 18min ago
  Process: 32101 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited,
 status=0/SUCCESS)
  Process: 32193 ExecStart=/usr/libexec/iptables/iptables.init start (code=exite
d, status=0/SUCCESS)
 Main PID: 32193 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/iptables.service

Apr 21 10:10:42 waglago.purered.net iptables.init[32193]: iptables: Applying ...
Apr 21 10:10:42 waglago.purered.net systemd[1]: Started IPv4 firewall with i....
Hint: Some lines were ellipsized, use -l to show in full.

Open in new window


[root@waglago iptables]# systemctl stop iptables.service
[root@waglago iptables]# systemctl start iptables.service
[root@waglago iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@waglago iptables]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@waglago iptables]#

Open in new window

xbox360dpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MazdajaiCommented:
Looks like it is running but with default rules. You can use the following to check the rules:

 
 service firewalld status
cat /etc/sysconfig/iptables

Open in new window

0
Zephyr ICTCloud ArchitectCommented:
In RHEL 7 iptables is managed by the firewalld service. Now for a Workstation that is ok, but for a server you maybe prefer "plain" iptables ... This is possible.

systemctl stop firewalld
systemctl mask firewalld

Open in new window


Following part might be unnecessary, but I'll include it anyway...
yum install iptables-services

Open in new window

systemctl enable iptables

Open in new window


If you want to know more about the firewalld-cmd ... It's not too difficult once you get used to the commands.
0
xbox360dpAuthor Commented:
Mazdajai,

I've disabled firewalld.

spravtek,

I've already execute all those commands.

Here is what I have in /etc/sysconfig/iptables

# Generated by iptables-save v1.4.21 on Tue Apr 21 09:49:46 2015
*mangle
:PREROUTING ACCEPT [18:1204]
:INPUT ACCEPT [18:1204]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:1664]
:POSTROUTING ACCEPT [16:1664]
COMMIT
# Completed on Tue Apr 21 09:49:46 2015
# Generated by iptables-save v1.4.21 on Tue Apr 21 09:49:46 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 68.17.13.65/32 -p tcp -m tcp --dport 8300 -j DNAT --to-destinat
ion 172.16.21.79:8300
-A PREROUTING -d 68.17.13.65/32 -p tcp -m tcp --dport 8500 -j DNAT --to-destinat
ion 172.16.21.79:8500
-A PREROUTING -d 68.17.13.65/32 -p tcp -m tcp --dport 80 -j DNAT --to-destinatio
n 172.16.21.79:80
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Tue Apr 21 09:49:46 2015

Open in new window


Yet it appears there are no rules in place.
0
Zephyr ICTCloud ArchitectCommented:
You'll need to add the rules, something like

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Open in new window

For ssh access on port 22

or for http(s)
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Open in new window


There's a lot of other rules naturally but that would depend on your setup, what you would want to allow, how secure you want it, make sure you keep your ssh connection open after implementing the rules for ssh or any other access and test from a new connection to see if it still works.
0
CSIA ANCommented:
Hi,

I strongly recommend to use apf (Advanced Policy Firewall). https://www.rfxn.com/projects/advanced-policy-firewall/
It'a a wrapper to iptables and it's very easy to handle. It works on many linux distros. I've been used apf for some years.

Just download tgz file, install it on you Linux box.

Once configured, just edit config file
/etc/apf/conf.apf

Open in new window


Change these lines:
DEVEL_MODE="0"

Open in new window

to
DEVEL_MODE="1"

Open in new window


And add the ports you want to enable on your iptables.
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="22 25 80 443 8080"

Open in new window


to start/stop/enable/disable APF just:
[root@cmdbsrv apf]# apf -h
eth1: error fetching interface information: Device not found
APF version 9.7 <apf@r-fx.org>
Copyright (C) 2002-2011, R-fx Networks <proj@r-fx.org>
Copyright (C) 2011, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

usage /usr/local/sbin/apf [OPTION]
-s|--start ......................... load all firewall rules
-r|--restart ....................... stop (flush) & reload firewall rules
-f|--stop........................... stop (flush) all firewall rules
-l|--list .......................... list all firewall rules
-t|--status ........................ output firewall status log
-e|--refresh ....................... refresh & resolve dns names in trust rules
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
                                     immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
                                     immediately load new rule into firewall
-u|--remove HOST ................... remove host from [glob]*_hosts.rules
                                     and immediately remove rule from firewall
-o|--ovars ......................... output all configuration options

Open in new window


Hopes this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.