iptables – Doug's Blog

CentOS bootup hangs at iptables

I experienced an odd thing the other day when I went to reboot a server it was hanging at bootup at the iptables/firewall portion of the startup sequence.

I had to do “Interactive” bootup (by hitting “I”) and then I could say “n” on the firewall section. After that it booted up fine.

I examined my iptables and some postings on the ‘net will mention that failing to have the loopback interface in the rules, i.e. “-A RH-Firewall-1-INPUT -i lo -j ACCEPT”. I verified I had that, and then I realized that I also had a rule in place that was generated by an auto-rule script that uses IPs from failed attempts in log files. Somehow it had gotten 127.0.0.1 in there! I had to remove a blocking rule for 127.0.0.1 and then it worked.

So, rule of thumb, take care of what goes in your iptables file!

I sure do like pure-ftpd, it chroots user logins so they can’t chdir all over the place, and is easy to configure and use.

I did have one case lately where I would connect in and it would hang while “entering passive mode”. It turns out I needed to add some extra stuff into iptables. This did the trick:

-A RH-Firewall-1-INPUT -p udp -m udp –dport 20 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 20 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 21 -m recent –set –name FTP –rdest -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 1024:65535 -m recent –rcheck –seconds 9800 –name FTP –rdest -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp –dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp –dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp –dport 21 -m recent –set –name FTP –rdest -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp –dport 1024:65535 -m recent –rcheck –seconds 9800 –name FTP –rdest -j ACCEPT