Daniel Strong
asked on
IPTables in Red Hat 7.2
I have VirtuaBox running on top of Win7 64bit. I have a Red Hat 7.2 Linux version running. I have another virtual machines (VM) running Win7 with WireShark. I have been having using getting the ports open on Red Hat.
I have turned off firewalld, but iptables is running. In iptables -L, unders FORWARD (Chain), it has a REJECT rules. WireShark is reporting this when my Windows app tries to connect to Linux. It is a port unreachable, I have opened all the ports I need in iptables. When I delete that rule using iptables --delete FORWARD line_number, it deletes. I save it, but on reboot it puts it back. This is getting annoying.
Can someone help me? Why is Red Hat changing iptables upon reboot? I have been stuck on this for 2 weeks messing with this and it is about to make me pull my hair out.
Thanks...
I have turned off firewalld, but iptables is running. In iptables -L, unders FORWARD (Chain), it has a REJECT rules. WireShark is reporting this when my Windows app tries to connect to Linux. It is a port unreachable, I have opened all the ports I need in iptables. When I delete that rule using iptables --delete FORWARD line_number, it deletes. I save it, but on reboot it puts it back. This is getting annoying.
Can someone help me? Why is Red Hat changing iptables upon reboot? I have been stuck on this for 2 weeks messing with this and it is about to make me pull my hair out.
Thanks...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, that is what I am doing using internet network only. Host is not involved.
In network-scripts directory, there wasn't any filed named /etc/sysconfig/network-scr ipts/iptab les
I found iptable_config file in the sysconfig, which I had changed to save my configuration of iptables on reboot.
Also, I removed the REJECT lines again on the FORWARD chain and they came back again, even though I saved. Red Hat is writing them back to iptables on reboot.
You have anymore ideas? I appreciate the help...
In network-scripts directory, there wasn't any filed named /etc/sysconfig/network-scr
I found iptable_config file in the sysconfig, which I had changed to save my configuration of iptables on reboot.
Also, I removed the REJECT lines again on the FORWARD chain and they came back again, even though I saved. Red Hat is writing them back to iptables on reboot.
You have anymore ideas? I appreciate the help...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I will check right now. I was messing with firewalld, but I turned it off. Then I discovered I was still being blocks and found iptables.
One questions I have: When making a change to iptables, does it require a restart or reboot in order for the changes to go into effect? If I could get iptables to delete the REJECTs and they stick... that would be great. Even if I have to write a script to deal with iptables and run it on reboot. But I am unsure if you have to restart iptables service or reboot for the new changes to take effect.
I know with firewalld, I have to make a change and stop and start it. But the iptables was running also and that was where my problem was.
I will try your suggest... sorry for talking so much. Trying to bring you up to speed on where I am and what I tried. BRB...
One questions I have: When making a change to iptables, does it require a restart or reboot in order for the changes to go into effect? If I could get iptables to delete the REJECTs and they stick... that would be great. Even if I have to write a script to deal with iptables and run it on reboot. But I am unsure if you have to restart iptables service or reboot for the new changes to take effect.
I know with firewalld, I have to make a change and stop and start it. But the iptables was running also and that was where my problem was.
I will try your suggest... sorry for talking so much. Trying to bring you up to speed on where I am and what I tried. BRB...
ASKER
OK...
1. Did the iptables --flush, waited a few minutes, nothing... still getting a port unreachable.
2. rpm -qa | grep iptable showed - > iptable-1.4.21-16.e17.x86_ 64
3. rpm -qa | grep firewall showed -> firewalld-0.3.9-14.e17.noa rh & firewall-config-0.9-14.e17 . noarch
5 chkconfig showed
netconsole 0:off 1:off 2: off 3:off 4:off 5:off 6:off
network 0:off 1: off 2: on 3:on 4:on 5:on 6:on
rhnsd 0:off 1: off 2:on 3:on 4:on 5:on 6:on
1. Did the iptables --flush, waited a few minutes, nothing... still getting a port unreachable.
2. rpm -qa | grep iptable showed - > iptable-1.4.21-16.e17.x86_
3. rpm -qa | grep firewall showed -> firewalld-0.3.9-14.e17.noa
5 chkconfig showed
netconsole 0:off 1:off 2: off 3:off 4:off 5:off 6:off
network 0:off 1: off 2: on 3:on 4:on 5:on 6:on
rhnsd 0:off 1: off 2:on 3:on 4:on 5:on 6:on
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to completely turn off firewalld. Iptables is giving me the headache.
I will trying your -F... I have tried the iptables -flush, but nothing happened. Ports were still blocked. I will try it again using -F.
I am really to the point of what getting it.
I might just uninstall the rpms for iptables...
I will port my results.
I will trying your -F... I have tried the iptables -flush, but nothing happened. Ports were still blocked. I will try it again using -F.
I am really to the point of what getting it.
I might just uninstall the rpms for iptables...
I will port my results.
actually, firewalld and iptables are very fun and quite easy once you get hang of it..
just do this:
# yum install iptables-services
then, edit rules file: (you can copy/paste the rule with port 22 to your liking)
# vi /etc/sysconfig/iptables
then restart the service:
# systemctl restart iptables
now, verify that your iptables rules are running fine
# iptables -L -n
now you can use old 'iptables' service for your local firewall management instead of learning new firewalld syntax and stuff.
for some its much more easy and convenient.
just do this:
# yum install iptables-services
then, edit rules file: (you can copy/paste the rule with port 22 to your liking)
# vi /etc/sysconfig/iptables
then restart the service:
# systemctl restart iptables
now, verify that your iptables rules are running fine
# iptables -L -n
now you can use old 'iptables' service for your local firewall management instead of learning new firewalld syntax and stuff.
for some its much more easy and convenient.
ASKER
I will try what you are talking about. I am complete cut off from the internet. will yum even work?
If not, how do I install off the Red Hat DVD/ ISO? I am not an expect in Linux. I appreciate the help.
If not, how do I install off the Red Hat DVD/ ISO? I am not an expect in Linux. I appreciate the help.
ASKER
I need to install the iptables-services... I hope all the dependencies are on the iso. I am currently getting the iso to my VM now.
Is there something I need to do to setup a repository? Is there an easy solution to this?
Is there something I need to do to setup a repository? Is there an easy solution to this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Benny, I will try it... eating lunch, will report back. Thanks again for the help
I appreciate it greatly! Let you know soon.
I appreciate it greatly! Let you know soon.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will mess with it again. But I have been restarting it. There is something I noticed I didn't try on your instruction, I will try it now.
Let you know... thanks again.
Let you know... thanks again.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I set promiscuous mode to ALL
I am at a loss with this, it is weird that WireShark states it is having the ICMP port unreachable, and in IPTables it has the same error. The ports are 5503 and 5504... not sure what the issue is.
When I used port 22, no errors, because they port is wide open.
I am at a loss with this, it is weird that WireShark states it is having the ICMP port unreachable, and in IPTables it has the same error. The ports are 5503 and 5504... not sure what the issue is.
When I used port 22, no errors, because they port is wide open.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will try it.
I just messed with the iptables again and if I reboot at all, Red Hat with always write the REJECT lines at the end of the FORWARD chain. I swear, I am not lying... this is happening. I am surprised I can't just totally override what Red Hat wants to do. I would think editing to iptables file, that would override what Red Hat is doing.
I am really confused on this whole iptables thing.
What is a command to uninstall it and the firewallD completely? rpm -unstaill iptables?
I just messed with the iptables again and if I reboot at all, Red Hat with always write the REJECT lines at the end of the FORWARD chain. I swear, I am not lying... this is happening. I am surprised I can't just totally override what Red Hat wants to do. I would think editing to iptables file, that would override what Red Hat is doing.
I am really confused on this whole iptables thing.
What is a command to uninstall it and the firewallD completely? rpm -unstaill iptables?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I disabled firewalld... and then I noticed iptables was blocking things... that is why I wanted to completely remove iptables.
So if I remove firewalld, that will remove iptables?
So if I remove firewalld, that will remove iptables?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It is weird because when I disable iptables, it doesn't seem to be really disabled. I can still do iptables commands. I would think it wouldn't know how to handle the commands if you disable them.
I am sorry for all the going back and forth, I just want this thing to behave right. I don't understand why Red Hat is writing reject all at the end of FORWARD Chain, doesn't make sense.
I am sorry for all the going back and forth, I just want this thing to behave right. I don't understand why Red Hat is writing reject all at the end of FORWARD Chain, doesn't make sense.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok... I went back and did a few more things. I am happy with the help you provided. I am seeing more packets coming across. Barry, I think you are right, I believe it could be a WireShark thing.
Although this Win app hasn't done the handshake with Linux app yet, I am definitely getting more packets through by opening up iptables. I understand iptables more now, I appreciate the help Barry.
The port unreachable is still coming across and I don't get it. Going to try a few more things.
Anyways, thanks Jason and Barry... you guys have helped. I appreciate it.
Although this Win app hasn't done the handshake with Linux app yet, I am definitely getting more packets through by opening up iptables. I understand iptables more now, I appreciate the help Barry.
The port unreachable is still coming across and I don't get it. Going to try a few more things.
Anyways, thanks Jason and Barry... you guys have helped. I appreciate it.
ASKER
Thanks again, and sorry for all the going back and forth. You will see me on here more with more questions.
ASKER
I will try what you suggested though and let you know.