Page 1 of 1
Dedicated server: iptables
Posted: Mon Apr 23, 2007 5:36 am
by dillion
I have a dedicated server and everything is working as it should (I think!

). I added a line in /etc/sysconfig/iptables file (for port 143) as one of my clients wanted to use IMAP.
Unfortunately, when the server is rebooted, the iptables goes back to default. I have tried everything I could to make it use the latest version but it always goes back to default. I did follow
this but same result!
Any ideas would be greatly appreciated.
Posted: Mon Apr 23, 2007 10:57 am
by timvw
From where is your iptables config loaded? If i'm not mistaken there is an option that you can pass to the iptables command that will save the 'current running configuration' to a file...
Posted: Tue Apr 24, 2007 2:19 am
by dillion
thanks for your response. This might be a strange question but do you mean:
1- open up /etc/sysconfig/iptables in editor
2- make the necessary changes and save it
3- do iptables-save > myiptables.conf
Posted: Tue Apr 24, 2007 10:30 am
by timvw
Yes, But first call iptables-save to store your current 'configset' (by default it will write to /etc/sysconfig/iptables)... In case you want to restore use iptables-restore.... (
http://iptables-tutorial.frozentux.net/ ... index.html seems to be a good resource...)
Posted: Tue Apr 24, 2007 1:42 pm
by jmut
Just write all rules you execute to shell script, started on server startup.
Which is this startup script in your case, depends on your distro.
For example:
in slackware
/etc/rc.d/rc.firewall
is executed on startup
Script starts something like.
Code: Select all
#!/usr/bin/bash
IPTABLES=`which iptables`
$IPTABLES -F
$IPTABLES -t nat -F
#added by Jens
$IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
.........
Posted: Wed Apr 25, 2007 4:21 am
by dillion
thanks guys for your responses.
I did some searching... the only firewall file I could find was /etc/sysconfig/firewall and it contained some shell code for firewall rules, as shown below:
Code: Select all
#!/bin/sh
#fix for passive ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# Drop ICMP echo request messages sent to multicast or broadcast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYS cookie (DoS) protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with crazy source addresses
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all chains
/sbin/iptables --flush
# Allow all loopback traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Set default policies to drop all traffic
/sbin/iptables --policy INPUT DROP
#/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
# Allow previously initiated and accepted exchanges to bypass rule checking
# Allow all outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow incoming port 22 (ssh) traffic
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow incoming port 80 and 443 (http/s) traffic
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow incoming port 53 (udp/tcp) dns traffic
/sbin/iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
# Allow incoming port 25 (tcp) SMTP traffic
/sbin/iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
# Allow incoming port 110 (tcp) POP3 traffic
/sbin/iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
# Allow incoming port 123 (udp) NTP traffic
/sbin/iptables -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# Allow incoming ports 20 and 21 (tcp) FTP traffic
/sbin/iptables -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# Allow incoming port 3306 (udp/tcp) MySQL traffic
/sbin/iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 3306 -m state --state NEW -j ACCEPT
# Allow incoming port 5555 (tcp) MatrixSA traffic
/sbin/iptables -A INPUT -p tcp --dport 5555 -m state --state NEW -j ACCEPT
# Allow incoming port 8002/9001 (tcp) traffic for initial listeners
/sbin/iptables -A INPUT -p tcp --dport 8002 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 9001 -m state --state NEW -j ACCEPT
# Drop all other inbound traffic
/sbin/iptables -A INPUT -j DROP
# Save these rules so they are initiated when iptables is started
/sbin/service iptables save
So I am assuming this is the one file you are referring to and I have added the following line and saved the file:
Code: Select all
# Allow incoming port 143 (tcp) IMAP traffic - added by me
/sbin/iptables -A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
Is that it or am I missing something else?
Thanks again.
Posted: Wed Apr 25, 2007 4:33 am
by jmut
Well, does it work?

It looks like this is it.
you can check rules with.
And still didn't mention the OS. Not that I know anything else than Slackware.
Posted: Wed Apr 25, 2007 5:16 am
by dillion
Doh, my apologies, I thought I had already mentioned it! Server running is Fedora 5.
Posted: Wed Apr 25, 2007 3:55 pm
by dillion
Just a quick note that it has worked now! Once again, many thanks to you two for your guidance and advice.
