Iptables command from RHEL documentation for cobbler, fails in RHEL 7

cobbleriptablesrhel7satellite

This seems like a very simple question. But I don't see anything much about it on the web. The command comes from the RHEL documentation itself, so I would expect that it works… and yet it fails. Any insight?

Command:

/sbin/iptables -A INPUT -m state --state NEW -m tcp -p udp --dport 25150 -j ACCEPT

Output:

iptables: Invalid argument. Run `dmesg' for more information.

dmesg log:

[ 1719.334534] x_tables: ip_tables: tcp match: only valid for protocol 6

Best Answer

Congratulations, you found an error in the RHEL documentation.

The iptables rule shown here uses the tcp matcher but then attempts to specify the udp protocol. This doesn't work; the tcp matcher can only be used with protocol 6, which happens to be tcp. Thus the error you received.

To correct the rule you have to first figure out which is wrong, the matcher or the protocol. Unfortunately this error has been propagated all over the Internet so this isn't so easy to figure out from an Internet search, and even the Cobbler documentation doesn't clearly mention it.

You can sort it out easily by inspecting the output of ss -nl, and there you should find cobbler listening on TCP port 25150, not UDP. Thus you replace udp with tcp and then report the documentation error to Red Hat.

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Centos – FTP not showing files or directories

Per the comments, disabling SELinux seems to have solved the problem. I would suggest to now:

Turn it back on with setenforce 1.
Use ls -Z /path/to/ftp/home/folder to check the context of the directory you're trying to FTP into, and see if the context is "public_content_t"
If not, use restorecon(8) to fix incorrect context, e.g. restorecon -R /path/to/ftp/home/folder

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Centos – FTP not showing files or directories

Related Topic