IPtables Installation And Configuration - Failed

After adding the firewall rules, i have tested from the LB…all the app server was reachable only from the LB server. Still TASK failed.

yum install iptables-services -y
systemctl start iptables && systemctl status iptables && systemctl enable iptables
rpm -qc iptables-services

LB: 172.16.238.14
iptables -I INPUT -p tcp ! -s 172.16.238.14 --dport 8084 -j REJECT
service iptables save
systemctl restart iptables

I agree that there is a problem with the wording of the question, because I did the same and got Faild Task also.

Q. * Block incoming port 8084 on all apps for everyone except for LBR host.
Does not say, “Ports to be blocked for all other hosts”
Do they want to:

  • Block all ports on all AppServers?
  • Block all ports for all hosts, except 8084 for LBR host.
    Does “everyone” refer to every user or every host in Stratos except LBR?

P.S. I thought that I should add my thoughts to your question because we had similar implementation. Only LBR could get http service from AppServers.
“Q. * Block incoming port 8084 on all apps for everyone except for LBR host.”

Same here, task still failed and the environment expired as soon as I clicked “finish”, so I could not go back and check if anything was missing.

Hi @bernardo_estevao following steps worked for me:
Installation of IPtables:
#yum install iptables-services -y
#systemctl start iptables
#systemctl enable iptables

Adding the rules as per task
According to the question we have to allow app server access through LBR host and that too only on the port as mentioned in the task . The 2nd thing here is we need to reject for “every” other incoming connection on port mentioned.
IPTables check rules in a sequential manner so when we install iptables the last rule in INPUT table is of reject all. So I first replaced the rule using -R with
this one:
iptables -R INPUT 5 -p tcp --destination-port -s 172.16.238.14 -j ACCEPT
and then appended this rule the table:
iptables -A INPUT -p tcp --destination-port -j DROP
Accordingly first iptables will check for accept rule and will allow for the incoming connection on the particular port from the LBR host and then it will go to the next rule which reject connections coming on that port.
If we do the vice versa here , it will DROP every connection coming on to that port that is we have placed ACCEPT rule first.
At last do not forget to save this rules to be persistent and check whether it is accessible from LBR host and rejects every other host.
#service iptables save

Do let me know , if there is anything to add, while doing this task second time I found many people are stuck with this task , so I thought to write about it . Also hope this helps people who are attempting this task and are pretty new to the iptables concept.

Hi all,

I have just finished iptables task but it said FAILED but in fact I think I did all good.
It says that the rule was not added permanently on App Server 1 but I did sudo /sbin/iptables-save command.
@Inderpreet could you please check it out.

Thank you in advance.
Ondrej

Hi @OndrejH , I can’t see any appended rule for INPUT table in the iptables-save command output , as required for the task, that is why it failed . Please check once , or refer the steps which I have provided above in this thread itself. See if this works.

Hi @akshayyw,

thanks for reply. I forgot to add the additional screenshot which shows the INPUT rule (the screenshot from previous comment is not complete).
This is the rest of the screenshot:

Thank you for checking it out.

1 Like

@KodeKloud, @kodekloud-support3, @Inderpreet could you please take a look at my task?

Thanks in advance,
Ondrej