iptables won’t start and missing /proc/modules
When I start system-config-securitylevel-tui the "Security Level" is set to "Disabled" as well as SELinux set to "Disabled".
That's how it was since I remember.
The system firewall is and was disabled. Can it be something in my current /etc/iptables that's causing this?
Originally Posted by
mapvivo
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
What does that mean?
It's that missing chain. Since you're using your own, just disable the system one with "system-config-securitylevel" (-tui).
@kro
In my /etc/sysconfig/iptables-config I had IPTABLES_MODULES="ip_conntrack_ftp" and IPTABLES_MODULES_UNLOAD="yes"
Changing IPTABLES_MODULES_UNLOAD to "no" fixed the /proc/modules error. THANK YOU
But I'm still stuck with the original problem:
# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
What does that mean?
Speedy059
01-07-2010, 10:50
Why not use centos default kernels? Any special reason/advantage in using OVH homebrew kernels?
mapvivo wrote:
> Unloading iptables modules: Opening /proc/modules: No such file or
> directory
> grep: /proc/modules: No such file or directory
> Opening /proc/modules: No such file or directory
> grep: /proc/modules: No such file or directory
You can remedy that by editing /etc/sysconfig/iptables-config, It is usually
done by default but might be wiped out if you reinstall iptables.
(IPTABLES_MODULES="" and IPTABLES_MODULES_UNLOAD="no")
> How come /proc/modules is missing now?
It never exists on OVH's (static) kernels.
--
Felix
OVH Team
Yes I created this file myself. Why was this running without any problems before the restart and stopped working after restart?
If I use
Code:
system-config-securitylevel-tui
will I be able to add my own custom rules? Will it be in
Code:
/etc/sysconfig/iptables
?
Now I'm asking before \i go and make changes. I don;t want to end up blocking all access to my website again
Originally Posted by
mapvivo
This is how my iptables look like now
Did you create that file yourself? On Centos, the configuration is set in the file "/etc/sysconfig/iptables" and it looks like you are missing a chain.
Try running ...
Code:
system-config-securitylevel
... and reconfigure it; or if you insist on using your own iptables script, disable it.
This is how my iptables look like now
iptables -F INPUT
iptables -F OUTPUT
IPT="iptables"
ALLOWED="
XXX.XXX.XXX.XXX #list of allowed IP addresses
"
$IPT -I INPUT -p tcp --dport 80 -j ACCEPT
$IPT -I INPUT -p tcp --dport 443 -j ACCEPT
$IPT -I INPUT -p tcp --dport 3456 -j ACCEPT # really it's a different port
for ip in $ALLOWED
do
$IPT -I INPUT -p tcp -s $ip -j ACCEPT
done
$IPT -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
Any idea what may be causing the problem. If not I'll check it later line by line.
Thanks for your help so far.
# iptables -A INPUT -i eth0 -j DROP
I only meant you to iptables to see if it works (actually I copied and pasted the lines from a guide), but I expected you to check what you were running. Well, I guess I could have chosen better commands. Restart flushes the IP tables.
Regarding the original problem, now that we know that iptables work, I'd look into the script /etc/iptables
I believe that's the file where you've put all the rules to be set in boot time. I believe that the problem must be in it. Looks like it expect iptables to be installed as a module, but it's not. It's compile into the static kernel, so no need to load it as a module.
Maybe it's due to the update of the iptables. A new version may have caused the script to become incompatible. I would double-check it, even running the commands in run time.
I have not changed a thing before restart and after the iptables did not want to start so I reinstalled them and that's when /proc/modules error appeared.
# uname -a
Linux ns22943.ovh.net 2.6.27.10-grsec-xxxx-grs-ipv4-64 #5 SMP Wed Apr 1 13:10:38 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
What kernel are you using, and is it the same as you used before the server went down? In fact why did the server go down and what did who do to bring it up? Maybe if you had a ticket number or something I could check some of this stuff for myself.
Originally Posted by
fozl
I did but all it says is how to set up your rules and nothing about what seems to be my problem, or did I miss something.
OK my website is back.
So I guess iptables rules work as expected from command line, but that's not how it should be.
Why service iptables restart keeps complaining about /proc/modules and rules in /etc/iptables do nor work?
Any ideas?
Originally Posted by
mapvivo
iptables -A INPUT -i eth0 -j DROP <- I got disconnected from SSH and can't log in now, great...
DROP whatever comes in on eth0?
Have a look at this in case you've not already:
http://help.ovh.co.uk/Firewall
And use rescue mode to make it all better:
http://help.ovh.co.uk/RescueMode
aaaand the whole website is down....
should have checked what you're asking me to run
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT <- did not return anything
iptables -A INPUT -i eth0 -j DROP <- I got disconnected from SSH and can't log in now, great...
that's true, OVH kernel's are not modular for several reasons, but that's not a problem for iptables to work.
What happens when you're trying to set the rules manually?
# iptables -L
# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -i eth0 -j DROP
I know it's not the same you want to run, but at least, we'll be checking if iptables work or not.
Hi
I had a perfectly working iptables but after server restart it won't start giving me error
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
I haven't changed anything in /etc/iptables.
After some googling I uninstalled iptables `yum uninstall iptables` and installed it again.
Now it's even worse I'm getting:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: security raw nat mangle fi[FAILED]
Unloading iptables modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
How come /proc/modules is missing now?
I'm using CentOS.
After more googling I found out that OVH kernel is not modular. How come I had iptable running before the restart (which was due to failed power socket)
What should I do?
Thanks.