Thanks Akshayyw for the response, much appreciated.
1 Like
Hi Akshya, Nidhi,
I followed these two articles to completing this task.
Updated iptables settings on app1, 2 and 3 as below.
iptables -A INPUT -p tcp --destination-port 3004 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3004 -j DROP
I followed this screenshot to verify my task.
I got the same results as Nidhi. However, my task was failed after I submitted the task.
one of you please let me know where I failed? btw, this is the failed error message details on my task.
The task details shows the error that the rules have not been added permanently,.
Did you do #service iptables save? Also no need to add username tony there for curl , same what nidhi did.
Hi Akshay,
I did save the iptables, also while doing curl I did leave out the username.
however, as I recall on app1 I might have executed these commands.
I should have retried it instead of submitting the results. Thank you
iptables -R INPUT 5 -p tcp --destination-port -s 172.16.238.14 -j ACCEPT
and then appended this rule the table:
iptables -A INPUT -p tcp --destination-port -j DROP
Yeah I had posted this earlier the reason I replaced the first rule because already there is a reject entry in the tables by default and iptables check rules preferentially.
Below are the steps taken by me on stapp01 and stapp02
#sudo yum install iptables-services -y
#sudo systemctl start iptables
#sudo systemctl enable iptables
cd /etc/sysconfig/
sudo vi iptables
Below was the port number assigned in my task
-A INPUT -p tcp --destination-port 5003 -s 172.16.238.14 -j ACCEPT
-A INPUT -p tcp --destination-port 5003 -j DROP
service iptables save
what is it I am missing? thanks
Please comment Akshay
@Tej-Singh-Rana @Inderpreet @tanvir0102 @nidhincn
Please comment, how many times I try, I am stuck validating the iptables settings.
Try removing the existing reject rule and then try appending this two:
-A INPUT -p tcp --destination-port 5003 -s 172.16.238.14 -j ACCEPT
-A INPUT -p tcp --destination-port 5003 -j DROP
Not sure , but if you save the iptables and also restart the service the rules which are set by us get removed, just save those iptables and then try curling through lb host.
In 2nd SS , we can clearly see that those are rules aren’t set when we list all the iptables.
Hi Akshay,
I am setting the iptables rules from the user account i.e. tony in case of app1 server. After that, I am saving the iptables service and restarting the iptables services.
when I list the iptables after that. I don’t see them listed under the results either when I try to open the iptables there also my changes won’t be saved.
let me know if I am missing anything here?
thanks
Swaroop
but my first screenshot has the rules which you can see. I am also saving the iptables and restarting the services too.
thanks
Swaroop
-
What is the output of this command:
iptables -L INPUT -n --line-numbers -
only ssh service by default is allowed when installing iptables; all other traffic are denied
-
Hint: if you add iptables rule to the INPUT chain using -A flag, it will be appended to the end of rules and you will get always the " no route to host" error message.
Us my collegue @Devops said, Uhave appended the rule to the end with -A, U have to add it with -I flag
and save your work
Good luck
As others have mentioned, your iptables is fine but you were APPENDING the rule rather than INSERTING it. APPENDING (INPUT -A) simply add your rule to the bottom of the CHAIN but INSERTING (INPUT -I) adds it to the top. As you might be aware, iptables reads the rule from top to bottom.
For anyone trying this, try not to delete any pre-existing rule in the table, explicitly INSERT your own rules.
for example, the rule sudo iptables -I INPUT -p tcp ! -s 172.16.238.14 --dport 6300 -j REJECT seems ok to block all connection to the 6300 port and allow only connection from 172.16.238.14 IP but it requires removing the pre-existing DENY rule at INPUT chain 5 in order to work, even after saving your iptables across reboot the system still marks you as fail probably because it could not see the DENY rule.
Hy @swaroopcs88,
if you add iptables rule to the INPUT chain using -A flag, it will be appended to the end of rules and you will get always the " no route to host" error message, so you have to appy the rule with -I like that :
iptables -I INPUT -p tcp -s 172.16.238.14 --dport 8086 -j ACCEPT then save the rules