IPtables Installation And Configuration - Failed

After adding the firewall rules, i have tested from the LB…all the app server was reachable only from the LB server. Still TASK failed.

yum install iptables-services -y
systemctl start iptables && systemctl status iptables && systemctl enable iptables
rpm -qc iptables-services

LB: 172.16.238.14
iptables -I INPUT -p tcp ! -s 172.16.238.14 --dport 8084 -j REJECT
service iptables save
systemctl restart iptables

I agree that there is a problem with the wording of the question, because I did the same and got Faild Task also.

Q. * Block incoming port 8084 on all apps for everyone except for LBR host.
Does not say, “Ports to be blocked for all other hosts”
Do they want to:

  • Block all ports on all AppServers?
  • Block all ports for all hosts, except 8084 for LBR host.
    Does “everyone” refer to every user or every host in Stratos except LBR?

P.S. I thought that I should add my thoughts to your question because we had similar implementation. Only LBR could get http service from AppServers.
“Q. * Block incoming port 8084 on all apps for everyone except for LBR host.”

Same here, task still failed and the environment expired as soon as I clicked “finish”, so I could not go back and check if anything was missing.

Hi @bernardo_estevao following steps worked for me:
Installation of IPtables:
#yum install iptables-services -y
#systemctl start iptables
#systemctl enable iptables

Adding the rules as per task
According to the question we have to allow app server access through LBR host and that too only on the port as mentioned in the task . The 2nd thing here is we need to reject for “every” other incoming connection on port mentioned.
IPTables check rules in a sequential manner so when we install iptables the last rule in INPUT table is of reject all. So I first replaced the rule using -R with
this one:
iptables -R INPUT 5 -p tcp --destination-port -s 172.16.238.14 -j ACCEPT
and then appended this rule the table:
iptables -A INPUT -p tcp --destination-port -j DROP
Accordingly first iptables will check for accept rule and will allow for the incoming connection on the particular port from the LBR host and then it will go to the next rule which reject connections coming on that port.
If we do the vice versa here , it will DROP every connection coming on to that port that is we have placed ACCEPT rule first.
At last do not forget to save this rules to be persistent and check whether it is accessible from LBR host and rejects every other host.
#service iptables save

Do let me know , if there is anything to add, while doing this task second time I found many people are stuck with this task , so I thought to write about it . Also hope this helps people who are attempting this task and are pretty new to the iptables concept.

5 Likes

Hi all,

I have just finished iptables task but it said FAILED but in fact I think I did all good.
It says that the rule was not added permanently on App Server 1 but I did sudo /sbin/iptables-save command.
@Inderpreet could you please check it out.

Thank you in advance.
Ondrej

Hi @OndrejH , I can’t see any appended rule for INPUT table in the iptables-save command output , as required for the task, that is why it failed . Please check once , or refer the steps which I have provided above in this thread itself. See if this works.

Hi @akshayyw,

thanks for reply. I forgot to add the additional screenshot which shows the INPUT rule (the screenshot from previous comment is not complete).
This is the rest of the screenshot:

Thank you for checking it out.

1 Like

@Ayman, @kodekloud-support3, @Inderpreet could you please take a look at my task?

Thanks in advance,
Ondrej

HI Akshayyw , even though I have success with this task, I couldn’t validate my work.
I have used the commands as follows
iptables -A INPUT -p tcp --destination-port 5002 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5002 -j DROP

when I try to telnet from load balancer using the 5002 port, it shows no route to host.
i tried the command as telnet stapp03 5002.What I have done wrong here?please take a look at the attached screenshot.Any help will be appreciated.Thanks.

1 Like

Hi @nidhincn , the rules you set are correct , that is why it is marked as success. You are using incorrect syntax for curl command . It should be just
#curl stapp01:5002 , no need to add username tony there.

1 Like

Thanks Akshayyw for the response, much appreciated.

1 Like

@akshayyw @nidhincn

Hi Akshya, Nidhi,

I followed these two articles to completing this task.

Updated iptables settings on app1, 2 and 3 as below.
iptables -A INPUT -p tcp --destination-port 3004 -s 172.16.238.14 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3004 -j DROP


I followed this screenshot to verify my task.
I got the same results as Nidhi. However, my task was failed after I submitted the task.
one of you please let me know where I failed? btw, this is the failed error message details on my task.

The task details shows the error that the rules have not been added permanently,.
Did you do #service iptables save? Also no need to add username tony there for curl , same what nidhi did.

Hi Akshay,
I did save the iptables, also while doing curl I did leave out the username.
however, as I recall on app1 I might have executed these commands.
I should have retried it instead of submitting the results. Thank you
iptables -R INPUT 5 -p tcp --destination-port -s 172.16.238.14 -j ACCEPT
and then appended this rule the table:
iptables -A INPUT -p tcp --destination-port -j DROP

Yeah I had posted this earlier the reason I replaced the first rule because already there is a reject entry in the tables by default and iptables check rules preferentially.

@akshayyw

Below are the steps taken by me on stapp01 and stapp02

#sudo yum install iptables-services -y
#sudo systemctl start iptables
#sudo systemctl enable iptables

cd /etc/sysconfig/
sudo vi iptables

Below was the port number assigned in my task
-A INPUT -p tcp --destination-port 5003 -s 172.16.238.14 -j ACCEPT
-A INPUT -p tcp --destination-port 5003 -j DROP

service iptables save
image
image
what is it I am missing? thanks

Please comment Akshay

@Tej-Singh-Rana @Inderpreet @tanvir0102 @nidhincn
Please comment, how many times I try, I am stuck validating the iptables settings.

Try removing the existing reject rule and then try appending this two:

-A INPUT -p tcp --destination-port 5003 -s 172.16.238.14 -j ACCEPT
-A INPUT -p tcp --destination-port 5003 -j DROP