[lug] simple iptables mystery

D. Stimits stimits at attbi.com
Thu Mar 6 22:02:36 MST 2003


Zan Lynx wrote:

> On Thu, 2003-03-06 at 19:25, D. Stimits wrote:
>
> >On a RH 8 (KRUD) box, I have a mystery, which should not be happening. I
> >admit I know very little about iptables, I've used ipchains forever, but
> >this is so simple I don't understand why it won't work. In
> >/etc/sysconfig/ is the iptables file (and I run service iptables restart
> >after changes). I am trying to get it to accept anything on the private
> >eth0 NIC (it has another NIC for outside world), and the following fails
> >to allow anything below port 1024 in:
> >
> >*filter
> >:INPUT ACCEPT [0:0]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [0:0]
> >:RH-Lokkit-0-50-INPUT - [0:0]
> >-A INPUT -j RH-Lokkit-0-50-INPUT
> >
> >-A RH-Lokkit-0-50-INPUT -s 0/0 -d 0/0 -i eth0 -j ACCEPT
>
>
> You're adding it to the end of the rule chain.  Check the rules before
> it.  Make sure it isn't being denied somewhere closer to the front of
> the chain.

Nope...that is the mystery. What you see above is *literally* the top of 
the file. That ACCEPT rule is the first rule in the file.

>
> One of my favority iptables debugging tools is diff.
> iptables -L -v -n > /tmp/1
>
> iptables -L -v -n > /tmp/2
>
> diff /tmp/1 /tmp/2
>
Fascinating, and eloquent (especially with --side-by-side). It didn't 
tell me my answer, but it reveals a lot. It did show the ACCEPT rule 
packet count going up (this was after I altered the above rule to allow 
port 80 only) after trying to hit it with the web browser. I am 
beginning to think it isn't iptables doing the refusal to let me go to 
port 80. But the web logs do not indicate a hit of any kind, and the web 
server is definitely up and running on port 80. If I telnet to port 80 
from outside, it acts as if nothing is running, but if I telnet to port 
80 from inside, it works as expected. Doing the diff on the logs, the 
only REJECT rules for eth0 have no change in packet counts for the 
REJECT rules...nothing hit them...but the ACCEPT rule increments as if 
it did accept.

I wonder...does RH 8 (KRUD 8) have by default in the apache stuff a 
config which will make it look like no service is even running on the 
port under some circumstances, e.g., some sort of auth thing...and not 
getting logged? The thing is that if it were apache doing the rejection, 
I would expect to reach the port 80 and see something, then be denied, 
but it acts just like nothing is on the port at all (this doesn't make 
sense except if iptables were cutting the port off). The part that 
supports the theory that it isn't iptables but instead apache or xinetd 
is that I can do this with ssh and ssh works.

D. Stimits, stimits AT attbi DOT com




More information about the LUG mailing list