iptables problem

ka992

• April 15, 2014 12:23

Greetings.. I'm having trouble with iptables after upgrading kernel, one of the rules in /etc/sysconfig/iptables is causing errors when restarting iptables, that is: -------------------- :INPUT ACCEPT [51:14610] -------------------- iptables: Applying firewall rules: iptables-restore v1.4.7: Can't set policy `INPUT' on `ACCEPT' line 10: Bad built-in chain name when I try to ping some domains I get: ping: sendmsg: Operation not permitted. and my /etc/sysconfig/iptables is: ----------------------------- # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013 *raw :PREROUTING ACCEPT [677581:1034642618] :OUTPUT ACCEPT [395622:31477725] COMMIT # Completed on Mon Apr 22 12:03:49 2013 # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013 *nat :PREROUTING ACCEPT [57:16626] :INPUT ACCEPT [51:14610] :OUTPUT ACCEPT [2201:142272] :POSTROUTING ACCEPT [2201:142272] COMMIT # Completed on Mon Apr 22 12:03:49 2013 # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013 *mangle :PREROUTING ACCEPT [677581:1034642618] :INPUT ACCEPT [677575:1034640602] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [395622:31477725] :POSTROUTING ACCEPT [395622:31477725] COMMIT # Completed on Mon Apr 22 12:03:49 2013 # Generated by iptables-save v1.4.7 on Mon Apr 22 12:03:49 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:180] :acctboth - [0:0] :cP-Firewall-1-INPUT - [0:0] -A INPUT -j cP-Firewall-1-INPUT -A INPUT -j acctboth -A FORWARD -j cP-Firewall-1-INPUT -A OUTPUT -j acctboth -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT -A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT COMMIT # Completed on Mon Apr 22 12:03:49 2013
----------------------------- hope someone can help TIA.

• 

  cPanelMichael

  • April 16, 2014 12:37

  Hello :) The error message you provided indicates an issue with entry used on line 10 of your firewall rules. Please keep in mind that cPanel does not implement a firewall or these type of iptables firewall rules. Have you considered switching to a third-party application to manage your rules (e.g. CSF)? The rules are more tested with an application such as CSF, so you are less likely to experience compatibility problems. Thank you.

  0
• 

  Drake

  • April 16, 2014 19:45

  Hi, Even though cPanel mightn't actually "implement" iptables rules as the cPanel staff member suggests, there is no reason why you cannot implement your own iptables rules (either manually or by scripts) . Hmm, cPanel does in fact make some iptables rules by virtue of its use of the Bandmin application, but that's a story for another day. Speaking in general about iptables and one kind of error in starting-- as I'm not seeing your whole script example you posted on this antiquated PC I'm using at the moment---> Relative to your "Line 10" issue, (aside from any obvious syntax errors or rules not capable by your system) are you certain that you aren't duplicating an action and iptables is choking on it when you try to restart iptables? I'd investigate what you have at line to and just prior to it. Visually look it over with that in mind and you can always exclude # remark out a suspect line to see if your error goes away. Best--- Drake P.

  0
• 

  ka992

  • April 16, 2014 21:09

  Sorry I forgot to post line #10 which if I comment the iptables starts normally.. #:INPUT ACCEPT [51:14610] Thanks

  0

Please sign in to leave a comment.