Troubleshooting iptables on Rackspace Cloud Servers

A common issue when setting up iptables on a new cloud server is that users may append the record to the existing chain, without looking at the ruleset first.

Iptables is read top to bottom, with a default installation of CentOS 5.5, the command iptables-L –line-number yields the following:

Looking at this, you can see that the INPUT chain has a single rule: to go read the  RH-Firewall-1-INPUT chain. That chain then has 10 rules, with the last one being to reject all traffic. This means that if it isn’t explicitly allowed in rules 1-9, it ain’t gonna happen.

The problem comes in when you try to add a new rule using the -A flag which appends the rule, meaning that the new rule goes to the bottom. Here is an example of that, and is what you do NOT want to do:

Let’s assume that we did run this command. The new output of iptables -L –line-number would be:

See anything wrong here? Let’s look at the INPUT chain. The first rule is to read the RH-Firewall-1-INPUT chain, which has 10 rules. After it reads through that chain, the next rule from the INPUT chain would be read, the rule that we just added for opening port 80.

Problem is, RH-Firewall-1-INPUT said in line 10 to reject anything that didn’t match. That means that your rule for opening port 80 will never even be looked at, requests will just be rejected.

Ok, so we need to remove the bad rule and do it right. First, let’s get rid of the bad rule by removing it based off of the line number

To break this command down for you:
iptables: should be pretty obvious…
-D: This option is for DELETE
INPUT: Specify the chain we want to delete from
2: Specify the line number of the rule to remove.

After running that, my bad rule from above will be gone. Now I need to do it the RIGHT way:

This rule looks an awful lot like the one above that I told you not to use, but look closely and you will see that instead of -A for append, this rule uses -I for insert, which will put the rule at the TOP of the list. Running iptables -L –line-number now yields the following:

Nice – Now the rule about allowing port 80 will be read FIRST, and then it will read the RH-Firewall-1-INPUT chain.

Always remember to save! If you do not save your ruleset, when the box reboots all of your rules will be lost!

For Redhat, CentOS, and Fedora:

For Ubuntu:

For all other distros:

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Trackbacks and Pingbacks: