Move an iptables firewall rule up the chain before a reject rule

Written by - 0 comments

Published on - last updated on May 7th 2021 - Listed in Linux Security Network


Tried to add a CentOS 6.5 server from an old server environment to Icinga 2.
However the connecton to NRPE didn't work, although I added an iptables rule to allow tcp/5666 on the CentOS machine:

root@centos ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT

On the Icinga server I tried a quick verification with telnet and it failed:

root@icinga:~# telnet centosip 5666
Trying centosip...
telnet: Unable to connect to remote host: No route to host

First I suspected routing or VPN issues (the mentioned old server environment was added into our enterprise LAN by using a VPN tunnel), but tcpdump on the centos machine showed me an incoming connection:

[root@centos ~]# tcpdump port 5666
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:49:01.018023 IP icingaip.58437 > centos.5666: Flags [S], seq 1750895406, win 29200, options [mss 1368,sackOK,TS val 1991589648 ecr 0,nop,wscale 7], length 0

A quick look at the iptables revealed something interesting:

[root@centos ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination        
  21G 4775G ACCEPT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      state RELATED,ESTABLISHED
21667 1820K ACCEPT     icmp --  *      *       0.0.0.0/0    0.0.0.0/0     
1235K   74M ACCEPT     all  --  lo     *       0.0.0.0/0    0.0.0.0/0     
 3297  198K ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:22
 631M   38G ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9200
 265K   16M ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9300
   58  3480 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:80
  18M 1852M REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:5666


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination        
    0     0 REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 2131 packets, 593K bytes)
 pkts bytes target     prot opt in     out     source          destination

The INPUT policy is set to ACCEPT, however a "REJECT all" rule was added. It the machine would have been set up by me, I'd rather use a policy REJECT and define accept rules... but that train has departed and the machine was set up this way years ago. So the problem now is that the newly added rule for port tcp/5666 was added after the general reject line.

Unfortunately a rule cannot be just "moved up" in the list, but it can be recreated with a fixed position.

By using the --line-n parameter, the same rules can be looked at with the rule numbers:

[root@centos ~]# iptables -nvL --line-n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out  source      destination        
1      21G 4775G ACCEPT     all  --  *      *    0.0.0.0/0   0.0.0.0/0      state RELATED,ESTABLISHED
2    21678 1821K ACCEPT     icmp --  *      *    0.0.0.0/0   0.0.0.0/0          
3    1235K   74M ACCEPT     all  --  lo     *    0.0.0.0/0   0.0.0.0/0          
4     3299  198K ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      state NEW tcp dpt:22
5     631M   38G ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      tcp dpt:9200
6     265K   16M ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      tcp dpt:9300
7       58  3480 ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      tcp dpt:80
8      18M 1852M REJECT     all  --  *      *    0.0.0.0/0   0.0.0.0/0      reject-with icmp-host-prohibited
9        0     0 ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      state NEW tcp
dpt:5666

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out  source      destination        
1        0     0 REJECT     all  --  *      *    0.0.0.0/0   0.0.0.0/0      reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 124K packets, 32M bytes)
num   pkts bytes target     prot opt in     out  source      destination     

 So if I delete the rule and insert it before the reject line, it should be fine.

[root@centos ~]# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
[root@centos ~]# iptables -I INPUT 7 -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT

[root@centos ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination         
  21G 4775G ACCEPT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      state RELATED,ESTABLISHED
21693 1822K ACCEPT     icmp --  *      *       0.0.0.0/0    0.0.0.0/0           
1235K   74M ACCEPT     all  --  lo     *       0.0.0.0/0    0.0.0.0/0         
 3301  198K ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:22
 631M   38G ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9200
 265K   16M ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9300
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:5666
   58  3480 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:80
  18M 1852M REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0       reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 3302 packets, 955K bytes)
 pkts bytes target     prot opt in     out     source       destination         

The rule for tcp 5666 was inserted (-I) at line 7, pushing down the previous line 7 (tcp/80) down. It is now definitely above the reject rule, so will it work?

root@icinga:~# telnet centosip 5666
Trying centosip...
Connected to centosip.
Escape character is '^]'.
^]quit

telnet> quit

Yes, it worked!


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Icingaweb   Icingaweb2   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder   


Update cookies preferences