To add and remove iptables rule

[satimis]

Hi folks,

Ubuntu 8.04


To input a rule whether run;

$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Then run;

$ sudo iptables-save > rules-saved

to save that rule ?


To display/check it;

$ sudo iptables -L
the rule will be displayed

If to remove above rule whether run;

$ sudo iptables -P INPUT DROP INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Then run again;

$ sudo iptables-save > rules-saved

$ sudo iptables -L
the rule will disappear
???

TIA


B.R.
satimis

[Lazydog]

Do the following:

Code:

sudo iptables -P INPUT DROP
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables-save > rules-saved

sudo iptables -P INPUT DROP INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
IS not correct.

Also I would place the ESTABLISHED,RELATED at the top of the chain.

Here is a tutorial for iptables

[satimis]

Do the following:

Code:

sudo iptables -P INPUT DROP
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables-save > rules-saved

sudo iptables -P INPUT DROP INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
IS not correct.

Also I would place the ESTABLISHED,RELATED at the top of the chain.

Here is a tutorial for iptables

Hi Lazydog,

Thanks for your advice and URL.

# iptables -P INPUT DROP
No complaint

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Code:

iptables: No chain/target/match by that name

# /etc/init.d/shorewall restart

Code:

Restarting "Shorewall firewall": not done (check /var/log/shorewall-init.log).

# tail /var/log/shorewall-init.log

Code:

  Shorewall is not running
15:59:31 Starting Shorewall....
15:59:31 Initializing...
15:59:31 Clearing Traffic Control/QOS
15:59:31 Deleting user chains...
iptables: No chain/target/match by that name
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Terminated

This is a virtual machine running OpenVZ. Shorewall is running on the guest. No iptable rules have been set on the host.

Host
$ sudo iptables -L

Code:

[sudo] password for satimis: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Guest

# iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0              anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

ACCEPT     all  --  0.0.0.0              0.0.0.0             

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I have been held for 2 days without a solution. Googling brought me some info saying the problem coming from OpenVZ kernel.

Guest;

/# uname -r

Code:

2.6.24-24-openvz

I have another virtual machine running Xen. Shorewall is running there without problem.


B.R.
satimis

[Lazydog]

You are using shorewall as your firewall why are you trying to configure it by hand?
Use the GUI to configure shorewall.

[satimis]

You are using shorewall as your firewall why are you trying to configure it by hand?
Use the GUI to configure shorewall.

Hi Robert,

The Shorewall has been configured. I followed following document to do it;

Firewall
Shorewall
How to set up a mail server on a GNU / Linux system


The same config is working on another virtual machine running Xen. I'm going to remove shorewall and run iptables instead. What basic rules you would suggest? Thanks


B.R.
satimis

[Lazydog]

This would all depend on what you want to allow in/out from the box.