CODEWITHSUNDEEP
linuxshelllinux-kerneliptables
Junjie
Junjie

Reputation: 1175

failed to apply firewall rules with iptables-restore

Following is the configuration of my iptables,

[root@fabulous ~]# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon Dec 23 15:55:09 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

However, when I restart it, I get error as below, as a notification, the failed line is "COMMIT". Could anyone help to point out where the error is? Thanks in advance.

[root@fabulous ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore: line 20 failed
                                                           [FAILED]

Upvotes: 2

Views: 30766

Answers (3)

MonoThreaded
MonoThreaded

Reputation: 12043

I had the same problem because

  1. I was missing the first 7 lines (before my first ACCEPT)
  2. Because I had to add a blank line between my last ACCEPT and COMMIT

Upvotes: 0

Elias Missaoui
Elias Missaoui

Reputation: 9

I had the same issue, that because I had a space before COMMIT. You have to delete that space and all will work perfectly(I hope for you). Elias Missaoui.

Upvotes: -1

leucos
leucos

Reputation: 18269

I would say that -m TCP is missing in this line:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

You can usually get some clues applying the rules yourself with iptables-restore:

iptables-restore < /etc/sysconfig/iptables

EDIT : Spotted it, line 11

-A RH-Firewall-1-INPUT -p udp -m tcp --dport 53 -j ACCEPT

You're specifying udp proto for the tcp module. You probably meant :

-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT

Upvotes: 3

Related Questions