The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables problem

Discussion in 'Security' started by ka992, Apr 15, 2014.

  1. ka992

    ka992 Registered

    Joined:
    Apr 15, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Greetings..

    I'm having trouble with iptables after upgrading kernel, one of the rules in /etc/sysconfig/iptables is causing errors when restarting iptables, that is:

    --------------------
    :INPUT ACCEPT [51:14610]
    --------------------

    iptables: Applying firewall rules: iptables-restore v1.4.7: Can't set policy `INPUT' on `ACCEPT' line 10: Bad built-in chain name

    when I try to ping some domains I get:

    ping: sendmsg: Operation not permitted.

    and my /etc/sysconfig/iptables is:

    -----------------------------
    Code:
    # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
    *raw
    :PREROUTING ACCEPT [677581:1034642618]
    :OUTPUT ACCEPT [395622:31477725]
    COMMIT
    # Completed on Mon Apr 22 12:03:49 2013
    # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
    *nat
    :PREROUTING ACCEPT [57:16626]
    :INPUT ACCEPT [51:14610]
    :OUTPUT ACCEPT [2201:142272]
    :POSTROUTING ACCEPT [2201:142272]
    COMMIT
    # Completed on Mon Apr 22 12:03:49 2013
    # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
    *mangle
    :PREROUTING ACCEPT [677581:1034642618]
    :INPUT ACCEPT [677575:1034640602]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [395622:31477725]
    :POSTROUTING ACCEPT [395622:31477725]
    COMMIT
    # Completed on Mon Apr 22 12:03:49 2013
    # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1:180]
    :acctboth - [0:0]
    :cP-Firewall-1-INPUT - [0:0]
    -A INPUT -j cP-Firewall-1-INPUT
    -A INPUT -j acctboth
    -A FORWARD -j cP-Firewall-1-INPUT
    -A OUTPUT -j acctboth
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
    -A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
    COMMIT
    # Completed on Mon Apr 22 12:03:49 2013
    
    -----------------------------

    hope someone can help

    TIA.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The error message you provided indicates an issue with entry used on line 10 of your firewall rules. Please keep in mind that cPanel does not implement a firewall or these type of iptables firewall rules. Have you considered switching to a third-party application to manage your rules (e.g. CSF)? The rules are more tested with an application such as CSF, so you are less likely to experience compatibility problems.

    Thank you.
     
  3. Drake

    Drake Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hi,

    Even though cPanel mightn't actually "implement" iptables rules as the cPanel staff member suggests, there is no reason why you cannot implement your own iptables rules (either manually or by scripts) .

    Hmm, cPanel does in fact make some iptables rules by virtue of its use of the Bandmin application, but that's a story for another day.

    Speaking in general about iptables and one kind of error in starting-- as I'm not seeing your whole script example you posted on this antiquated PC I'm using at the moment--->

    Relative to your "Line 10" issue, (aside from any obvious syntax errors or rules not capable by your system) are you certain that you aren't duplicating an action and iptables is choking on it when you try to restart iptables?

    I'd investigate what you have at line to and just prior to it. Visually look it over with that in mind and you can always exclude # remark out a suspect line to see if your error goes away.



    Best---
    Drake P.
     
  4. ka992

    ka992 Registered

    Joined:
    Apr 15, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Sorry I forgot to post line #10 which if I comment the iptables starts normally..

    #:INPUT ACCEPT [51:14610]

    Thanks
     
Loading...

Share This Page