Chris Nizzardini

Salt Lake City, Utah Developer / Human / Blogger

Oct 12 2010

How to Remove and Add Rules to IP Tables Chains in Centos Linux

chris | Linux | 0

Occasionally our IP Tables at work will block us. I finally got tired of looking up how to resolve this and decided to document the fix on my blog. I’m not a System Administrator (but by defacto rule I am) and I’m definitely not an IP Tables expert, so follow at your own risk. You’re IP Tables list is probably pretty long so you’ll want to pipe the output of iptables -L into a file to be viewed by VIM. This command will give you a rule number and a list. Be sure to see which chain the rule is in (ie INPUT, LOCALINPUT, LOCALOUTPUT etc).

sudo iptables -L -n --line-numbers > /tmp/ip.tables
vi /tmp/ip.tables

Note, the -n switch just makes it not resolve host names in the file, which makes iptables dump go WAY faster. Find the offending rule that you would like to remove and copy it somewhere. You’ll probably want to perform a search in vim for the IP address or hostname. To do this press escape, then forward slash “/”, next type in the IP or hostname and press enter.

In this case I found two rules (actual host name removed for security):

Chain LOCALOUTPUT (1 references)
107  DROP       all  --  anywhere             {hostname}
 
Chain LOCALINPUT (1 references)
107  DROP       all  --  {hostname}  anywhere

Lets remove these by specifying the line number the chain the rule is in. Clear your IP Tables dump file, and rerun the IP Tables list command again to verify the rule is gone.

sudo iptables -D LOCALINPUT 107
sudo iptables -D LOCALOUTPUT 107
> /tmp/ip.tables
sudo iptables -L --line-numbers > /tmp/ip.tables

Now we probably want to prevent this from ever happening again. So lets add an allow rule for our hostname, simply replace “{hostname}” with your actual hostname. Once this step is complete dump your IP Tables to a tmp file and verify the change. Then finally verify by actually connecting to the server. In my case, I verified by establishing an SSH connection with the server.

sudo iptables -A INPUT -p all -s {hostname} -j ACCEPT
sudo iptables -A OUTPUT -p all -s {hostname} -j ACCEPT

Hope this helps someone. Respond with questions, comments, or enhancements to the process I used. Thanks.

Resources:
http://www.faqs.org/docs/iptables/commands.html
http://wiki.centos.org/HowTos/Network/IPTables

Chris Nizzardini has been developing web applications since 2006. He lives and works in beautiful Salt Lake City, Utah. If you’re interested in hiring me for contract work please visit IO Spring LLC.

Twitter Google+ 

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Categories

Related

  1. easy mysql backup
  2. MS SQL Show Tables in a Database (Microsoft SQL)
  3. Setting up NTP on CentOS