Debugging iptables on Red Hat and CentOS

When setting up new services on a clean Red Hat or CentOS install, many administrators face problems related to the default security settings. Red Hat is secured by default, including, but not limited to, iptables firewall and SElinux, which are both enabled after installation.

I will never recomend disabling iptables without trying to add required rules first, because OS security is just as important as the configuration of the service you set up.

The easiest way to debug iptables configuration is to log dropped packets.

Open

/etc/sysconfig/iptables

in a text editor. Find these two lines:

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

And replace them with the following:

-N LOGGING
-A INPUT -j LOGGING
-A FORWARD -j LOGGING
-A LOGGING -m limit --limit 3/min -j LOG --log-prefix "iptables dropped: " --log-level 7
-A LOGGING -j REJECT --reject-with icmp-host-prohibited

Logs will appear in

/var/log/messages
Feb 18 10:08:54 centos6 kernel: IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:c8:14:11:64:70:02:04:db:06:08:00 SRC=192.168.0.45 DST=192.168.0.217 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3381 DF PROTO=TCP SPT=1516 DPT=63860 WINDOW=65535 RES=0x00 SYN URGP=0
Hardly ever add -A INPUT -j ACCEPT to solve your firewall problems!

Hardly ever add -A INPUT -j ACCEPT to solve your firewall problems!

One thought on “Debugging iptables on Red Hat and CentOS

  1. Hurrah! After all I got a web site from where I know how to in fact get useful data concerning my study and knowledge.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.