@Inderpreet @rahul456 Please check the validation issue for this task.
@bilalshakir41396 This is the original error you got for your task
Apache service on App Server 1 is not reachable from LB host
Which means you didnât add the correct rules in Iptable to open Apache access for LB host (as asked in the question) even though Apache service was up but if correct rules werenât added then it wonât be reachable from LB host.
Thanks for the response,
Can you check the below commands I used to add the rules are correct?
sudo iptables -A INPUT -p tcp --destination-port 6100 -s 172.16.238.14 -j ACCEPT
sudo iptables -A INPUT -p tcp --destination-port 6100 -j DROP
Hello @Inderpreet and @Tej-Singh-Rana
Please kindly check my instance and see where I went wrong.
I run sudo iptables-save to save rules with persistence after reboot on all app servers but has this error
- rule was not added permanently on App Server 1
Hoping to hear from you soon.
In general, AFAIK, iptables save will save the existing rules in a text file, that you must manually load during boot or on every service restart. In Red Hat based distros however, you can edit /etc/sysconfig/iptables file and reload(or restart) the respective systemd service with systemctl reload iptables.
Dropping the traffic is redundant since you specified the source IP in the ACCEPT statement. It would be necessary if the ACCEPT statement was broader and needed to limit it, eg: ACCEPT an entire subnet and DROP a couple of hosts.
theoretically, if you are allowing ONLY a host, you should not allow the entire network.
try allowing " established, related " alsoâŚ
why my task again is failed?
@Inderpreet @rahul456 @Tej-Singh-Rana
I have used the commands as follows
sudo yum install iptables-services -y
sudo systemctl start iptables
sudo systemctl enable iptables
iptables -A INPUT -p tcp --destination-port 8083 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 8083 -j DROP
sudo service iptables save
I think task still in your hand. You can take help of Review section. After getting your doubts clear. You can attempt again.
I shared for reviews, but everyone has same commands, already I used. Can you highlite my mistake? @Tej-Singh-Rana
Notice that your command comes after the reject action , therefore all traffic blocked except ssh traffic. This is the most tricky question in sysadmins tasks. Hint: donât use -A flag in this task
I think it will give an error. Add -I before INPUT.
I think, if I click on someone review ( when I have not found anyone comments as for the solution) . I know after accepting anyone reviews task will be available to work again,
Bit I think I will not have complete marks. 
if you can mark it pending? @player001
@Devops
Would you please explain why we should not use -A flag and what is wrong with that?
I really got stack in this task, I have run the following commands but did not work.
iptables -A INPUT -p tcp --dport=6400 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --dport 6400 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Am I right ? the reason is -A append the rule to the end of iptables file whereas -I insert into the first line
By Default, when you install iptables or firewalled, only ssh service is allowed as you notice in this task. Also, iptables applying rules as âfirst matchâ. So, if you use -A flag, iptables insert this rule at the end of current default rules and the task will fail. You can insert/delete iptables rules at specific location by using line numbers. For example, if current default rules are 7, then you can insert/delete rule at line 4.
1 Like
For tutorial/solution - https://youtu.be/oW2UTb-Nfx0 - This video is made by me with sole intention of helping the community
For Tutorial/Solution - Content made for sole reason to help the community.
