[lug] simple iptables mystery
D. Stimits
stimits at attbi.com
Thu Mar 6 22:02:36 MST 2003
Zan Lynx wrote:
> On Thu, 2003-03-06 at 19:25, D. Stimits wrote:
>
> >On a RH 8 (KRUD) box, I have a mystery, which should not be happening. I
> >admit I know very little about iptables, I've used ipchains forever, but
> >this is so simple I don't understand why it won't work. In
> >/etc/sysconfig/ is the iptables file (and I run service iptables restart
> >after changes). I am trying to get it to accept anything on the private
> >eth0 NIC (it has another NIC for outside world), and the following fails
> >to allow anything below port 1024 in:
> >
> >*filter
> >:INPUT ACCEPT [0:0]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [0:0]
> >:RH-Lokkit-0-50-INPUT - [0:0]
> >-A INPUT -j RH-Lokkit-0-50-INPUT
> >
> >-A RH-Lokkit-0-50-INPUT -s 0/0 -d 0/0 -i eth0 -j ACCEPT
>
>
> You're adding it to the end of the rule chain. Check the rules before
> it. Make sure it isn't being denied somewhere closer to the front of
> the chain.
Nope...that is the mystery. What you see above is *literally* the top of
the file. That ACCEPT rule is the first rule in the file.
>
> One of my favority iptables debugging tools is diff.
> iptables -L -v -n > /tmp/1
>
> iptables -L -v -n > /tmp/2
>
> diff /tmp/1 /tmp/2
>
Fascinating, and eloquent (especially with --side-by-side). It didn't
tell me my answer, but it reveals a lot. It did show the ACCEPT rule
packet count going up (this was after I altered the above rule to allow
port 80 only) after trying to hit it with the web browser. I am
beginning to think it isn't iptables doing the refusal to let me go to
port 80. But the web logs do not indicate a hit of any kind, and the web
server is definitely up and running on port 80. If I telnet to port 80
from outside, it acts as if nothing is running, but if I telnet to port
80 from inside, it works as expected. Doing the diff on the logs, the
only REJECT rules for eth0 have no change in packet counts for the
REJECT rules...nothing hit them...but the ACCEPT rule increments as if
it did accept.
I wonder...does RH 8 (KRUD 8) have by default in the apache stuff a
config which will make it look like no service is even running on the
port under some circumstances, e.g., some sort of auth thing...and not
getting logged? The thing is that if it were apache doing the rejection,
I would expect to reach the port 80 and see something, then be denied,
but it acts just like nothing is on the port at all (this doesn't make
sense except if iptables were cutting the port off). The part that
supports the theory that it isn't iptables but instead apache or xinetd
is that I can do this with ssh and ssh works.
D. Stimits, stimits AT attbi DOT com
More information about the LUG
mailing list