Home / server / Questions / 482931
In Process
Steve
Asked: 2013-02-28 00:54:44 +0800 CST

iptables config works in one Centos 6 server but not another one

  • 772

This iptables script:

#!/bin/sh
service iptables stop
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
service iptables save
service iptables restart

works as expected on a Centos 6.3 server (provided by VPSBlocks.com.au) but not a Centos 6.0 server (provided by VPSNine.com). By "works as expected", I mean that it at least allows incoming access to ports 22, 80 and 443. And by not working, I mean it doesn't allow access.

The one that works has the following /etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Wed Feb 27 19:10:38 2013
*filter
:INPUT DROP [3:453]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:52]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Wed Feb 27 19:10:38 2013

whereas the one that doesn't work has the following /etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Wed Feb 27 11:28:36 2013
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Feb 27 11:28:36 2013
# Generated by iptables-save v1.4.7 on Wed Feb 27 11:28:36 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Wed Feb 27 11:28:36 2013
# Generated by iptables-save v1.4.7 on Wed Feb 27 11:28:36 2013
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Feb 27 11:28:36 2013

If I replace the non-working /etc/sysconfig/iptables with the one that works in the other server, it allows me to keep the current ssh connection, but when I try to get back in, I'm locked out.

Why would the exact same iptables config work on one server but not the other? Could the difference in minor versions of Centos (6.3 vs. 6.0) account for the different behaviour?

Update: The Centos 6.3 server (one on which the iptables config works) uses iptables 1.4.7-5.1.el6_2. The other server uses iptables 1.4.7-3.el6.

Update: iptables --list returns the following on BOTH servers:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            multiport dports ssh,http,https state NEW,ESTABLISHED 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Update: When I login to the 6.0 server, I see this warning:

Warning: Unknown iptable module: nf_conntrack_ipv4, skipped

I'm not sure how to install this. Is it a kernel module? If so, it looks like I'm snookered.

centos

2 Answers

  1. iptables multiport is a module, check if it is installed at the target CentOS system.

    • 0

  2. In your script, you might need to flush all the tables in addition to the filter (-F), which defaults to the filter table.

      /sbin/iptables -F
  /sbin/iptables -t nat -F
  /sbin/iptables -t mangle -F

    Then accept connections to already established sessions with the following line in /etc/sysconfig/iptables right above the accept rule for the loopback interface.

     -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

    You might also need to manually load the nf_conntrack_ipv4 module with -

      modprobe nf_conntrack_ipv4

    If the multiport is giving you a problem, you can add the ports individually for a test.

    • 0