Hi Akshay,
I did save the iptables, also while doing curl I did leave out the username.
however, as I recall on app1 I might have executed these commands.
I should have retried it instead of submitting the results. Thank you
iptables -R INPUT 5 -p tcp --destination-port -s 172.16.238.14 -j ACCEPT
and then appended this rule the table:
iptables -A INPUT -p tcp --destination-port -j DROP
Yeah I had posted this earlier the reason I replaced the first rule because already there is a reject entry in the tables by default and iptables check rules preferentially.
Below are the steps taken by me on stapp01 and stapp02
#sudo yum install iptables-services -y
#sudo systemctl start iptables
#sudo systemctl enable iptables
cd /etc/sysconfig/
sudo vi iptables
Below was the port number assigned in my task
-A INPUT -p tcp --destination-port 5003 -s 172.16.238.14 -j ACCEPT
-A INPUT -p tcp --destination-port 5003 -j DROP
service iptables save
what is it I am missing? thanks
Please comment Akshay
@Tej-Singh-Rana @Inderpreet @tanvir0102 @nidhincn
Please comment, how many times I try, I am stuck validating the iptables settings.
Try removing the existing reject rule and then try appending this two:
-A INPUT -p tcp --destination-port 5003 -s 172.16.238.14 -j ACCEPT
-A INPUT -p tcp --destination-port 5003 -j DROP
Not sure , but if you save the iptables and also restart the service the rules which are set by us get removed, just save those iptables and then try curling through lb host.
In 2nd SS , we can clearly see that those are rules aren’t set when we list all the iptables.
Hi Akshay,
I am setting the iptables rules from the user account i.e. tony in case of app1 server. After that, I am saving the iptables service and restarting the iptables services.
when I list the iptables after that. I don’t see them listed under the results either when I try to open the iptables there also my changes won’t be saved.
let me know if I am missing anything here?
thanks
Swaroop
but my first screenshot has the rules which you can see. I am also saving the iptables and restarting the services too.
thanks
Swaroop
-
What is the output of this command:
iptables -L INPUT -n --line-numbers -
only ssh service by default is allowed when installing iptables; all other traffic are denied
-
Hint: if you add iptables rule to the INPUT chain using -A flag, it will be appended to the end of rules and you will get always the " no route to host" error message.
Us my collegue @Devops said, Uhave appended the rule to the end with -A, U have to add it with -I flag
and save your work
Good luck
As others have mentioned, your iptables is fine but you were APPENDING the rule rather than INSERTING it. APPENDING (INPUT -A) simply add your rule to the bottom of the CHAIN but INSERTING (INPUT -I) adds it to the top. As you might be aware, iptables reads the rule from top to bottom.
For anyone trying this, try not to delete any pre-existing rule in the table, explicitly INSERT your own rules.
for example, the rule sudo iptables -I INPUT -p tcp ! -s 172.16.238.14 --dport 6300 -j REJECT seems ok to block all connection to the 6300 port and allow only connection from 172.16.238.14 IP but it requires removing the pre-existing DENY rule at INPUT chain 5 in order to work, even after saving your iptables across reboot the system still marks you as fail probably because it could not see the DENY rule.
Hy @swaroopcs88,
if you add iptables rule to the INPUT chain using -A flag, it will be appended to the end of rules and you will get always the " no route to host" error message, so you have to appy the rule with -I like that :
iptables -I INPUT -p tcp -s 172.16.238.14 --dport 8086 -j ACCEPT then save the rules
If you see my attached screenshots above. I am using -I option only.
am I missing anything? sorry for bugging you. thank you
1 Like
iptables -I INPUT -p tcp -!s 172.16.238.14 --dport 3003 -j REJECT
Then, after saving this rule, you should see it at top of iptables rules.
1 Like