Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't seem to allow ports using iptables

Status
Not open for further replies.
johndog

johndog

Technical User
Apr 17, 2001
103
US
I am trying to enable incoming/outgoing HTTP traffic on ports 8000 through 8100 through the firewall. I have tried using the command: iptables -A INPUT -p tcp -m tcp --sport 8000:8100 -j ACCEPT and the same command with OUTPUT but it still doesn't seem to do the trick. After doing an iptables -L, this is what I have, please help!:
**********************************************************

[root@financial shell_scripts]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spts:8000:8100

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:8000:8100

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

******************************************************
 
Sort by date Sort by votes
Your post reads:

--sport 8000:8100

but I think you'll want to filter the packets based on their destination ports, not their source ports. So:

--dport 8000:8100

sounds to me like it would be more appropriate.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
I tried changing to the ports to dport, but it didn't seem to help. Would it be possible that I have to also open port 80? Also, whenever I restart the iptables service, it forgets all of the INPUT/OUTPUT entries that I've made and I have to reenter them each time...Thanks.
 
Upvote 0 Downvote
First of all, doing a "service iptables save" will write out your current rules so they can be read on next start.

Secondly (and I'm not an expert, but I think this is the case) look at the last rule of the RH-Firewall-1-INPUT chain. It's rejecting everything. You need to add your rule before RH-Firewall-1-INPUT in the INPUT chain.
 
Upvote 0 Downvote
That is helpful...what flag(s) do I have to add to the iptables command in order to specify what chain I am adding to? Thanks.
 
Upvote 0 Downvote
Would it be possible that I have to also open port 80?
Click to expand...
I'm sorry, but I don't understand that question.

whenever I restart the iptables service, it forgets all of the INPUT/OUTPUT entries that I've made and I have to reenter them each time
Click to expand...
That's normal. On my systems I put the iptables commands into a bash script so I can run them whenever necessary.



I think see the problem.

You're appending this rule to the end of the INPUT table. However, the first thing the INPUT table does is send everything to the RH-Firewall-1-INPUT table. And the last thing the RH-Firewall-1-INPUT table does is do a REJECT.

Where are your existing rules coming from?


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Please refer to the iptables man page.

You should be inserting (-I) rather than appending (-A), the -I takes an optional 2nd arguement "rulenum" to specify where the rule should be inserted.
 
Upvote 0 Downvote
I have figured out that the entries need to reside under the RH-Firewall-1-INPUT section in order to work correctly. Thanks for all of your help!
 
Upvote 0 Downvote
No, they don't, but if you want to believe that and it's working, then go with it.
 
Upvote 0 Downvote
This is what my firewall looks like now and the ports that I have specified under the RH-Firewall-1-INPUT section are working like they should:

[root@hostname ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8100
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:9000
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
 
Upvote 0 Downvote
The key is that your rule to allow is specified before the REJECT at the end of the RH-Firewall-1-INPUT chain is reached. You can specify it in that chain as you did, or you could have inserted it above the RH-Firewall-1-INPUT chain in the INPUT chain as I suggested before. Either would have worked.

My only worry would be something in RedHat assuming that it has control over that chain and rewriting, obliterating your rule. That's kinda the reason they put their own chain in there rather than putting all their rules in the INPUT chain.
If you added your rule using the RedHat FW Rule Editor (whatever that is), then I'm sure you're okay. If not, then YMMV.
 
Upvote 0 Downvote
You are correct, since the server I've been working on is running Rehadhat Enterprise Linux 4, I suppose they put their own chain in the list. I checked on one of my other servers that is running Fedora Core 2 and it did not contain the chain RH-Firewall-1-INPUT, but only the INPUT chain. I was able to open some ports simply by adding them to the INPUT chain and it worked great.

I've learned a lot from this post...thanks again for all of your help!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
352
spamjim
spamjim
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
165
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
219
spamjim
spamjim
bazil2
  • Locked
  • Question
Unable to mount Windows share due to error: can't read superblock - any ideas?
Replies
1
Views
366
RhythmAce
RhythmAce
ady2012
  • Locked
  • Question
Change the service sequences started on boot using centos 6
Replies
0
Views
167
ady2012
ady2012

Part and Inventory Search

Sponsor

Back
Top