Hi there,
My goal is to be able to reach *any* port on my server from one specific remote location (vpn is not an option). The remote location has a static IP. I achieved this, rather easily in fact, by installing the custom firewall "app" and adding "iptables -I INPUT -s <ip> -j ACCEPT" -- and it worked -- for a long time.
Recently I've found that this no longer works. Now, if I don't ALSO add the port to the 'incoming firewall,' I get no love. This is not an acceptable change, of course, as it then opens that port for everybody.
I suppose I can add it to 'incoming,' then add a drop rule on 'custom,' but that's just silly, when the behavior I need existed in the past.
I need to make *one* change to the system that allows *all* connections from a specific IP. How can I achieve this?
My goal is to be able to reach *any* port on my server from one specific remote location (vpn is not an option). The remote location has a static IP. I achieved this, rather easily in fact, by installing the custom firewall "app" and adding "iptables -I INPUT -s <ip> -j ACCEPT" -- and it worked -- for a long time.
Recently I've found that this no longer works. Now, if I don't ALSO add the port to the 'incoming firewall,' I get no love. This is not an acceptable change, of course, as it then opens that port for everybody.
I suppose I can add it to 'incoming,' then add a drop rule on 'custom,' but that's just silly, when the behavior I need existed in the past.
I need to make *one* change to the system that allows *all* connections from a specific IP. How can I achieve this?
Share this post:
Responses (7)
-
Accepted Answer
You've lost a "fi". Try something like:#######################################
# Created by API - Please Do NOT Edit #
#######################################
# IPv4 Custom Firewall Rules
#===========================
if [ "$FW_PROTO" == "ipv4" ]; then true
$IPTABLES -I INPUT -s <Chreeper's Public IP> -p UDP --dport 53 -j ACCEPT # --DNS-- aperturex
$IPTABLES -I INPUT -s <Ar50n15t's Public IP> -p UDP --dport 53 -j ACCEPT # --DNS-- ar50n15t
$IPTABLES -I INPUT -s <CSB Law Office Public IP> -p UDP --dport 53 -j ACCEPT # --DNS-- csblaw
$IPTABLES -I INPUT -s 68.238.x.x -j ACCEPT # VTEC Fairpoint
$IPTABLES -I INPUT -s 24.97.x.x/29 -j ACCEPT # VTEC Spectrum
# $IPTABLES -I FORWARD -s 172.27.72.0/24 -j DROP # KILL EVERYTHING
$IPTABLES -I FORWARD -s 172.27.72.126 -j ACCEPT # VBOX
$IPTABLES -I FORWARD -s 172.27.72.210 -j ACCEPT # MY DESKTOP
fi
# IPv6 Custom Firewall Rules
#===========================
if [ "$FW_PROTO" == "ipv6" ]; then true
fi
-
Accepted Answer
huh. Well, there's a good hint at the problem -- I suppose my custom rules aren't running at all!
There's no way I'm posting the entire thing in a custom forum, but here's the end, complete with error:
firewall: Running default forwarding rules
firewall: iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall: iptables -t filter -A FORWARD -i pptp+ -j ACCEPT
firewall: iptables -t filter -A FORWARD -i tun+ -j ACCEPT
firewall: iptables -t filter -A FORWARD -i enp0s25 -j ACCEPT
firewall: iptables -t filter -A FORWARD -i enp0s25.6 -j ACCEPT
firewall: iptables -t filter -A FORWARD -i enp0s25.9 -j ACCEPT
firewall: Execution time: 0.613s
firewall: Running post-firewall: 20740
firewall: Running /etc/clearos/firewall.d/custom
/etc/clearos/firewall.d/custom: line 23: syntax error: unexpected end of file
... and the referenced file:
#######################################
# Created by API - Please Do NOT Edit #
#######################################
# IPv4 Custom Firewall Rules
#===========================
if [ "$FW_PROTO" == "ipv4" ]; then true
$IPTABLES -I INPUT -s <Chreeper's Public IP> -p UDP --dport 53 -j ACCEPT # --DNS-- aperturex
$IPTABLES -I INPUT -s <Ar50n15t's Public IP> -p UDP --dport 53 -j ACCEPT # --DNS-- ar50n15t
$IPTABLES -I INPUT -s <CSB Law Office Public IP> -p UDP --dport 53 -j ACCEPT # --DNS-- csblaw
$IPTABLES -I INPUT -s 68.238.x.x -j ACCEPT # VTEC Fairpoint
$IPTABLES -I INPUT -s 24.97.x.x/29 -j ACCEPT # VTEC Spectrum
# $IPTABLES -I FORWARD -s 172.27.72.0/24 -j DROP # KILL EVERYTHING
$IPTABLES -I FORWARD -s 172.27.72.126 -j ACCEPT # VBOX
$IPTABLES -I FORWARD -s 172.27.72.210 -j ACCEPT # MY DESKTOP
# IPv6 Custom Firewall Rules
#===========================
if [ "$FW_PROTO" == "ipv6" ]; then true
fi
-
Accepted Answer
-
Accepted Answer
Sorry for the delay, I was at my non-computer job.
[root@c7 ~]# grep IF /etc/clearos/network.conf
EXTIF="enp4s7"
LANIF="enp0s25 enp0s25.6 enp0s25.62"
DMZIF=""
HOTIF="enp0s25.9"
This is the same system that was working, I noticed it stopped 3-4 months ago, but this is my own home system and I'm that mechanic whose car never quite runs right -- that is to say, I spend so much of my time working on clients' networks that weird idiosyncracies with my own tend to go on untouched until either the problem becomes unbearable or I get bored enough to tackle one. This is one of those rare bored situations. -
Accepted Answer
Ok, so a more comlplex set up. To save me the effort of working it out, what is the output to:
Also please can you produce the output from the set up which you say used to work, without the ports being specified?grep IF /etc/clearos/network.conf
Do you know when things stopped working as there was a firewall update recently which affected 1-to-1 NAT? -
Accepted Answer
Hi. I am using $IPTABLES, as the app automatically substitutes that for me.
I've attached the results of -nvL, except that I've replaced my all appearances of my public ip address with "aaabbb.cccddd" in case this reveals some glaring weakness in my firewall config, I'd rather not advertise it alongside the ip address necessary to exploit it.
Interestingly, I don't actually see my custom rules represented in here at all. There should be an accept rule from a 66.63.x.x ip address, and another from 24.97.x.x
[root@c7 ~]# iptables -nvL
Chain INPUT (policy DROP 15 packets, 1414 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- enp4s7 * 127.0.0.0/8 0.0.0.0/0
66 7853 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
12 1313 ACCEPT all -- enp0s25 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp0s25.6 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- enp0s25.9 * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
0 0 ACCEPT tcp -- enp0s25.9 * 0.0.0.0/0 255.255.255.255 tcp spt:68 dpt:67
2 141 ACCEPT udp -- enp0s25.9 * 192.168.1.0/24 192.168.1.127 udp dpt:53
0 0 ACCEPT tcp -- enp0s25.9 * 192.168.1.0/24 192.168.1.127 tcp dpt:53
0 0 ACCEPT icmp -- enp0s25.9 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- enp0s25.9 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- enp0s25.9 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- enp0s25.9 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
1 29 ACCEPT icmp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT udp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:2121
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:2121
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpts:60000:60999
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpts:60000:60999
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:25
18 999 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:22
72 8501 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:81
6 312 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:8096
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:8096
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:51413
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:51413
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.127 udp dpt:51413
347 44718 ACCEPT udp -- * * 0.0.0.0/0 aaabbb.cccddd udp dpt:51413
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:8991
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:8991
0 0 ACCEPT 47 -- * * 0.0.0.0/0 192.168.1.127
0 0 ACCEPT 47 -- * * 0.0.0.0/0 aaabbb.cccddd
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:1723
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.127 udp dpt:500
0 0 ACCEPT udp -- * * 0.0.0.0/0 aaabbb.cccddd udp dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:500
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.127 udp dpt:4500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.127 tcp dpt:4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 aaabbb.cccddd udp dpt:4500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 aaabbb.cccddd tcp dpt:4500
0 0 ACCEPT esp -- * * 0.0.0.0/0 192.168.1.127
0 0 ACCEPT ah -- * * 0.0.0.0/0 192.168.1.127
0 0 ACCEPT esp -- * * 0.0.0.0/0 aaabbb.cccddd
0 0 ACCEPT ah -- * * 0.0.0.0/0 aaabbb.cccddd
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec
0 0 ACCEPT udp -- enp0s25.9 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- enp0s25.9 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
9 1323 ACCEPT udp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
2 104 ACCEPT tcp -- enp4s7 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- enp0s25.9 enp0s25 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- enp0s25.9 enp0s25 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp0s25 enp0s25.9 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp0s25.9 enp0s25.6 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- enp0s25.9 enp0s25.6 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp0s25.6 enp0s25.9 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec
0 0 ACCEPT tcp -- * enp0s25 0.0.0.0/0 172.27.72.184 tcp dpt:3389
0 0 ACCEPT tcp -- * enp0s25.6 0.0.0.0/0 172.27.72.184 tcp dpt:3389
0 0 ACCEPT tcp -- * enp0s25.9 0.0.0.0/0 172.27.72.184 tcp dpt:3389
163 8464 ACCEPT tcp -- * enp0s25 0.0.0.0/0 172.27.72.210 tcp dpt:3389
0 0 ACCEPT tcp -- * enp0s25.6 0.0.0.0/0 172.27.72.210 tcp dpt:3389
0 0 ACCEPT tcp -- * enp0s25.9 0.0.0.0/0 172.27.72.210 tcp dpt:3389
725 604K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp0s25 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp0s25.6 * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT all -- enp0s25.9 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 7853 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
7 613 ACCEPT all -- * enp0s25 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * enp0s25.6 0.0.0.0/0 0.0.0.0/0
164 13057 ACCEPT icmp -- * enp4s7 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * enp4s7 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * enp4s7 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:20
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:20
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:21
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:21
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:2121
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:2121
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:443
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:443
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:143
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:143
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:993
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:993
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spts:60000:60999
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spts:60000:60999
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:25
14 1134 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:25
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:465
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:465
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:587
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:587
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:22
65 9991 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:81
6 312 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:81
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:8096
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:8096
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:51413
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:51413
0 0 ACCEPT udp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 udp spt:51413
351 100K ACCEPT udp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 udp spt:51413
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:8991
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:8991
0 0 ACCEPT 47 -- * enp0s25.9 192.168.1.127 0.0.0.0/0
0 0 ACCEPT 47 -- * enp4s7 aaabbb.cccddd 0.0.0.0/0
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:1723
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:1723
0 0 ACCEPT udp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 udp spt:500
11 9020 ACCEPT udp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 udp spt:500
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:500
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:500
0 0 ACCEPT udp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 udp spt:4500
0 0 ACCEPT tcp -- * enp0s25.9 192.168.1.127 0.0.0.0/0 tcp spt:4500
0 0 ACCEPT udp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 udp spt:4500
0 0 ACCEPT tcp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0 tcp spt:4500
0 0 ACCEPT esp -- * enp0s25.9 192.168.1.127 0.0.0.0/0
0 0 ACCEPT ah -- * enp0s25.9 192.168.1.127 0.0.0.0/0
0 0 ACCEPT esp -- * enp4s7 aaabbb.cccddd 0.0.0.0/0
0 0 ACCEPT ah -- * enp4s7 aaabbb.cccddd 0.0.0.0/0
2 316 ACCEPT all -- * enp0s25.9 0.0.0.0/0 0.0.0.0/0
14 1367 ACCEPT all -- * enp4s7 0.0.0.0/0 0.0.0.0/0
Chain DROP-lan (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
-
Accepted Answer
Nothing has changed to the order of the firewall loading, but note the position of IPS (snort) rules and app-attack-detector (fail2ban) rules is not guaranteed. They will be in one place (consistently) following a firewall restart, but an app restart may move them.
If you're using ClearOS7.x, you could be hitting a race condition. In 7.x, in the custom firewall you need to use "$IPTABLES" or "iptables -w" and not "iptables". If you are doing that, please give the output of:
And please put the output between "code" tags (the piece of paper icon with a <> on it) to make it readable.iptables -nvL
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »