Applying firewall rules: iptables-restore: Line 49 failed - centos

I'm trying to run the following line
echo “-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT” >> /etc/sysconfig/iptables && sudo /etc/init.d/iptables restart
But I get the following error:
iptables: Applying firewall rules: iptables-restore: line 49 failed
[FAILED]
This is my iptables file
# Generated by iptables-save v1.4.7 on Wed Aug 17 19:21:57 2016
*nat
:PREROUTING ACCEPT [55:3224]
:POSTROUTING ACCEPT [696:43973]
:OUTPUT ACCEPT [696:43973]
COMMIT
# Completed on Wed Aug 17 19:21:57 2016
# Generated by iptables-save v1.4.7 on Wed Aug 17 19:21:57 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:cP-Firewall-1-INPUT - [0:0]
-A INPUT -j cP-Firewall-1-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j cP-Firewall-1-INPUT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2079 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2077 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 26 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2078 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Aug 17 19:21:57 2016
“-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT”
“-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT”
I'm running centos 6.8


The quotes are the problem, also there should be nothing after the final COMMIT
You can run iptables -A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT then iptables-save to append the rule to the appropriate chain.
If you must edit the /etc/sysconfig/iptables file then do so with vim or vi and insert the rules at line 18.
If you need to add those rules to your cP-Firewall-1-INPUT then replace INPUT with cP-Firewall-1-INPUT so the command would be iptables -A cP-Firewall-1-INPUT -p tcp -m tcp --dport 3000 -j ACCEPT

Related

Unable to connect host after iptable configuration from centos 6

I have to allow port 9000 so sonarqube can be accessible, so I flushed the IPTABLE and add the below configuration, but from then below things happening:
no external URL connecting
unable to FTP connect via filezilla (but
NFtp working)
Below is the configuration:
# Generated by iptables-save v1.4.7 on Thu Feb 1 08:11:50 2018
*filter
:INPUT DROP [19:1566]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:928]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
COMMIT
# Completed on Thu Feb 1 08:11:50 2018
Please help.
Centos 6.9

I finally able to configure where all things git, composer, jenkins are able to coomunicate to external world and I can able to ssh via mingw git bash, and the configuration script is:
#!/bin/bash
iptables -F
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/service iptables restart
/sbin/service network restart
iptables -L -v

Cannot connect to service of it's own from inside pod on kubernetes 1.6

I created service and deployment. Now from inside the pod I'm trying to connect to it's own service. It gets times out after few minutes.
This works perfectly fine on kubenetes 1.5.x but not 1.6.x. FYI - created kubernetes cluster using kubeadm tool and using weave as network plugin.
Cluster dump: https://drive.google.com/file/d/0ByZSwkp_d2U-aFREc3E5SjRCVFU/view?usp=sharing
Connecting to kafka service from other container
root#falkonry-redis-0:/data# curl -v http://falkonry-kafka:9092
* About to connect() to falkonry-kafka port 9092 (#0)
* Trying 10.99.232.10...
* connected
* Connected to falkonry-kafka (10.99.232.10) port 9092 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: falkonry-kafka:9092
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* Recv failure: Connection reset by peer
* Closing connection #0
curl: (56) Recv failure: Connection reset by peer
Connecting to kafka service from inside kafka container
root#falkonry-kafka-56017906-9qlg3:/# curl -v http://falkonry-kafka:9092
* Rebuilt URL to: http://falkonry-kafka:9092/
* Hostname was NOT found in DNS cache
* Trying 10.99.232.10...
^C
Request never finishes.
Service and deployment
Phaguns-MacBook-Pro:falkonryagent phagunbaya$ kubectl describe service falkonry-kafka
Name: falkonry-kafka
Namespace: default
Labels: function=kafka
party=falkonry
Selector: name=falkonry-kafka
Type: ClusterIP
IP: 10.99.232.10
Port: kafka 9092/TCP
Endpoints: 10.32.0.7:9092
Session Affinity: None
No events.
Phaguns-MacBook-Pro:falkonryagent phagunbaya$ kubectl describe deployment falkonry-kafka
Name: falkonry-kafka
Namespace: default
CreationTimestamp: Thu, 06 Apr 2017 16:58:36 -0700
Labels: function=kafka
party=falkonry
Selector: function=kafka,name=falkonry-kafka
Replicas: 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 1 max unavailable, 1 max surge
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
OldReplicaSets: <none>
NewReplicaSet: falkonry-kafka-56017906 (1/1 replicas created)
No events.
iptables-save output
# Generated by iptables-save v1.4.21 on Fri Apr 7 12:16:32 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [12:720]
:POSTROUTING ACCEPT [16:1038]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-4QD2LE2R2TODS2YV - [0:0]
:KUBE-SEP-6K3WNWFYOAH5UDZ7 - [0:0]
:KUBE-SEP-AR5TRSQMIM2F553H - [0:0]
:KUBE-SEP-BIZOCAOAPTCX4WBC - [0:0]
:KUBE-SEP-F7NTE7AMKDKNWUUF - [0:0]
:KUBE-SEP-FV6ZZ4EMBZMV4DQ5 - [0:0]
:KUBE-SEP-HVHMJPRJS2UA65HH - [0:0]
:KUBE-SEP-IBDVBYXSRD6MIAGE - [0:0]
:KUBE-SEP-KDTJFZVKN4ESIN24 - [0:0]
:KUBE-SEP-KNER6ASWBX763QL7 - [0:0]
:KUBE-SEP-NGQUCFCRE45KSL73 - [0:0]
:KUBE-SEP-NYKTVPUDBMHXGWAX - [0:0]
:KUBE-SEP-QLLLKZOFDP244LAS - [0:0]
:KUBE-SEP-RBQF4CU7COIZTWDJ - [0:0]
:KUBE-SEP-SX34LAYKH37CF5LT - [0:0]
:KUBE-SEP-SZZ7MOWKTWUFXIJT - [0:0]
:KUBE-SEP-TZPDA6OWOVPRIIUZ - [0:0]
:KUBE-SEP-UJJNLSZU6HL4F5UO - [0:0]
:KUBE-SEP-W4RNB3VXXTJ3LGHB - [0:0]
:KUBE-SEP-YYIR7TZA6ZBQSUSF - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-BL55CP3MKKB53NTC - [0:0]
:KUBE-SVC-BV4E552EX2CNKPCU - [0:0]
:KUBE-SVC-BYB5G3MHEBYVN43P - [0:0]
:KUBE-SVC-C64CQIO6Z225CXIH - [0:0]
:KUBE-SVC-CAVFOYOJQPPKKFSK - [0:0]
:KUBE-SVC-DM7TKUYSW7TW345O - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-NTZIAVXWXJCS7DKZ - [0:0]
:KUBE-SVC-PJO6V2NNIUDO2DKL - [0:0]
:KUBE-SVC-QIJ4ARI55YRJ76JG - [0:0]
:KUBE-SVC-QQGUGJWMO5HSN6XL - [0:0]
:KUBE-SVC-RVQUD6RAXHQPQF3I - [0:0]
:KUBE-SVC-SZGELJVIQ5IRMA57 - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-U6PKKNLWPXOUUWIP - [0:0]
:KUBE-SVC-XGPIXF43F4GLZBG7 - [0:0]
:KUBE-SVC-Y4IVC7EWPWRMUFRE - [0:0]
:WEAVE - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.50.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j WEAVE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp --dport 30061 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp --dport 30061 -j KUBE-SVC-SZGELJVIQ5IRMA57
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-4QD2LE2R2TODS2YV -s 10.44.0.6/32 -m comment --comment "default/falkonry-spark-master:rest" -j KUBE-MARK-MASQ
-A KUBE-SEP-4QD2LE2R2TODS2YV -p tcp -m comment --comment "default/falkonry-spark-master:rest" -m tcp -j DNAT --to-destination 10.44.0.6:6066
-A KUBE-SEP-6K3WNWFYOAH5UDZ7 -s 10.32.0.4/32 -m comment --comment "default/falkonry-kafka:kafka" -j KUBE-MARK-MASQ
-A KUBE-SEP-6K3WNWFYOAH5UDZ7 -p tcp -m comment --comment "default/falkonry-kafka:kafka" -m tcp -j DNAT --to-destination 10.32.0.4:9092
-A KUBE-SEP-AR5TRSQMIM2F553H -s 10.24.10.4/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-AR5TRSQMIM2F553H -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-AR5TRSQMIM2F553H --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.24.10.4:6443
-A KUBE-SEP-BIZOCAOAPTCX4WBC -s 10.44.0.3/32 -m comment --comment "default/falkonry-merlin:merlin-web" -j KUBE-MARK-MASQ
-A KUBE-SEP-BIZOCAOAPTCX4WBC -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp -j DNAT --to-destination 10.44.0.3:8080
-A KUBE-SEP-F7NTE7AMKDKNWUUF -s 10.42.0.3/32 -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-F7NTE7AMKDKNWUUF -p tcp -m comment --comment "default/falkonry-riactor:riactor-http" -m tcp -j DNAT --to-destination 10.42.0.3:8000
-A KUBE-SEP-FV6ZZ4EMBZMV4DQ5 -s 10.32.0.10/32 -m comment --comment "default/falkonry-redis:redis-cli" -j KUBE-MARK-MASQ
-A KUBE-SEP-FV6ZZ4EMBZMV4DQ5 -p tcp -m comment --comment "default/falkonry-redis:redis-cli" -m tcp -j DNAT --to-destination 10.32.0.10:6379
-A KUBE-SEP-HVHMJPRJS2UA65HH -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:namenode-ui" -j KUBE-MARK-MASQ
-A KUBE-SEP-HVHMJPRJS2UA65HH -p tcp -m comment --comment "default/falkonry-hadoop:namenode-ui" -m tcp -j DNAT --to-destination 10.32.0.7:50070
-A KUBE-SEP-IBDVBYXSRD6MIAGE -s 10.44.0.5/32 -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-IBDVBYXSRD6MIAGE -p tcp -m comment --comment "default/falkonry-riactor:riactor-http" -m tcp -j DNAT --to-destination 10.44.0.5:8000
-A KUBE-SEP-KDTJFZVKN4ESIN24 -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:datanode" -j KUBE-MARK-MASQ
-A KUBE-SEP-KDTJFZVKN4ESIN24 -p tcp -m comment --comment "default/falkonry-hadoop:datanode" -m tcp -j DNAT --to-destination 10.32.0.7:50010
-A KUBE-SEP-KNER6ASWBX763QL7 -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:datanode-ui" -j KUBE-MARK-MASQ
-A KUBE-SEP-KNER6ASWBX763QL7 -p tcp -m comment --comment "default/falkonry-hadoop:datanode-ui" -m tcp -j DNAT --to-destination 10.32.0.7:50075
-A KUBE-SEP-NGQUCFCRE45KSL73 -s 10.44.0.6/32 -m comment --comment "default/falkonry-spark-master:webui" -j KUBE-MARK-MASQ
-A KUBE-SEP-NGQUCFCRE45KSL73 -p tcp -m comment --comment "default/falkonry-spark-master:webui" -m tcp -j DNAT --to-destination 10.44.0.6:8080
-A KUBE-SEP-NYKTVPUDBMHXGWAX -s 10.44.0.6/32 -m comment --comment "default/falkonry-spark-master:akka" -j KUBE-MARK-MASQ
-A KUBE-SEP-NYKTVPUDBMHXGWAX -p tcp -m comment --comment "default/falkonry-spark-master:akka" -m tcp -j DNAT --to-destination 10.44.0.6:7077
-A KUBE-SEP-QLLLKZOFDP244LAS -s 10.42.0.1/32 -m comment --comment "default/falkonry-connector:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-QLLLKZOFDP244LAS -p tcp -m comment --comment "default/falkonry-connector:http" -m tcp -j DNAT --to-destination 10.42.0.1:8001
-A KUBE-SEP-RBQF4CU7COIZTWDJ -s 10.32.0.6/32 -m comment --comment "default/falkonry-zookeeper:zookeeper" -j KUBE-MARK-MASQ
-A KUBE-SEP-RBQF4CU7COIZTWDJ -p tcp -m comment --comment "default/falkonry-zookeeper:zookeeper" -m tcp -j DNAT --to-destination 10.32.0.6:2181
-A KUBE-SEP-SX34LAYKH37CF5LT -s 10.42.0.2/32 -m comment --comment "default/falkonry-merlin:merlin-web" -j KUBE-MARK-MASQ
-A KUBE-SEP-SX34LAYKH37CF5LT -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp -j DNAT --to-destination 10.42.0.2:8080
-A KUBE-SEP-SZZ7MOWKTWUFXIJT -s 10.32.0.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SZZ7MOWKTWUFXIJT -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.32.0.2:53
-A KUBE-SEP-TZPDA6OWOVPRIIUZ -s 10.32.0.3/32 -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-TZPDA6OWOVPRIIUZ -p tcp -m comment --comment "default/falkonry-riactor:riactor-http" -m tcp -j DNAT --to-destination 10.32.0.3:8000
-A KUBE-SEP-UJJNLSZU6HL4F5UO -s 10.32.0.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-UJJNLSZU6HL4F5UO -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.32.0.2:53
-A KUBE-SEP-W4RNB3VXXTJ3LGHB -s 10.32.0.8/32 -m comment --comment "default/falkonry-mongo:mongo-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-W4RNB3VXXTJ3LGHB -p tcp -m comment --comment "default/falkonry-mongo:mongo-http" -m tcp -j DNAT --to-destination 10.32.0.8:27017
-A KUBE-SEP-YYIR7TZA6ZBQSUSF -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:namenode" -j KUBE-MARK-MASQ
-A KUBE-SEP-YYIR7TZA6ZBQSUSF -p tcp -m comment --comment "default/falkonry-hadoop:namenode" -m tcp -j DNAT --to-destination 10.32.0.7:8020
-A KUBE-SERVICES -d 10.103.204.121/32 -p tcp -m comment --comment "default/falkonry-spark-master:akka cluster IP" -m tcp --dport 7077 -j KUBE-SVC-CAVFOYOJQPPKKFSK
-A KUBE-SERVICES -d 10.111.87.193/32 -p tcp -m comment --comment "default/falkonryagent:agent-web cluster IP" -m tcp --dport 9090 -j KUBE-SVC-QQGUGJWMO5HSN6XL
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.107.140.112/32 -p tcp -m comment --comment "default/falkonry-zookeeper:zookeeper cluster IP" -m tcp --dport 2181 -j KUBE-SVC-BYB5G3MHEBYVN43P
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:datanode cluster IP" -m tcp --dport 50010 -j KUBE-SVC-NTZIAVXWXJCS7DKZ
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:datanode-ui cluster IP" -m tcp --dport 50075 -j KUBE-SVC-BL55CP3MKKB53NTC
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.111.174.212/32 -p tcp -m comment --comment "default/falkonry-merlin:merlin-web cluster IP" -m tcp --dport 8080 -j KUBE-SVC-SZGELJVIQ5IRMA57
-A KUBE-SERVICES -d 10.103.204.121/32 -p tcp -m comment --comment "default/falkonry-spark-master:rest cluster IP" -m tcp --dport 6066 -j KUBE-SVC-DM7TKUYSW7TW345O
-A KUBE-SERVICES -d 10.103.204.121/32 -p tcp -m comment --comment "default/falkonry-spark-master:webui cluster IP" -m tcp --dport 8080 -j KUBE-SVC-QIJ4ARI55YRJ76JG
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:namenode cluster IP" -m tcp --dport 9000 -j KUBE-SVC-BV4E552EX2CNKPCU
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:namenode-ui cluster IP" -m tcp --dport 50070 -j KUBE-SVC-U6PKKNLWPXOUUWIP
-A KUBE-SERVICES -d 10.98.38.82/32 -p tcp -m comment --comment "default/falkonry-mongo:mongo-http cluster IP" -m tcp --dport 27017 -j KUBE-SVC-Y4IVC7EWPWRMUFRE
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.90.91/32 -p tcp -m comment --comment "default/falkonry-redis:redis-cli cluster IP" -m tcp --dport 6379 -j KUBE-SVC-PJO6V2NNIUDO2DKL
-A KUBE-SERVICES -d 10.99.232.10/32 -p tcp -m comment --comment "default/falkonry-kafka:kafka cluster IP" -m tcp --dport 9092 -j KUBE-SVC-XGPIXF43F4GLZBG7
-A KUBE-SERVICES -d 10.100.203.65/32 -p tcp -m comment --comment "default/falkonry-riactor:riactor-http cluster IP" -m tcp --dport 8000 -j KUBE-SVC-C64CQIO6Z225CXIH
-A KUBE-SERVICES -d 10.110.120.177/32 -p tcp -m comment --comment "default/falkonry-connector:http cluster IP" -m tcp --dport 8001 -j KUBE-SVC-RVQUD6RAXHQPQF3I
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-BL55CP3MKKB53NTC -m comment --comment "default/falkonry-hadoop:datanode-ui" -j KUBE-SEP-KNER6ASWBX763QL7
-A KUBE-SVC-BV4E552EX2CNKPCU -m comment --comment "default/falkonry-hadoop:namenode" -j KUBE-SEP-YYIR7TZA6ZBQSUSF
-A KUBE-SVC-BYB5G3MHEBYVN43P -m comment --comment "default/falkonry-zookeeper:zookeeper" -j KUBE-SEP-RBQF4CU7COIZTWDJ
-A KUBE-SVC-C64CQIO6Z225CXIH -m comment --comment "default/falkonry-riactor:riactor-http" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-TZPDA6OWOVPRIIUZ
-A KUBE-SVC-C64CQIO6Z225CXIH -m comment --comment "default/falkonry-riactor:riactor-http" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-F7NTE7AMKDKNWUUF
-A KUBE-SVC-C64CQIO6Z225CXIH -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-SEP-IBDVBYXSRD6MIAGE
-A KUBE-SVC-CAVFOYOJQPPKKFSK -m comment --comment "default/falkonry-spark-master:akka" -j KUBE-SEP-NYKTVPUDBMHXGWAX
-A KUBE-SVC-DM7TKUYSW7TW345O -m comment --comment "default/falkonry-spark-master:rest" -j KUBE-SEP-4QD2LE2R2TODS2YV
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-UJJNLSZU6HL4F5UO
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-AR5TRSQMIM2F553H --mask 255.255.255.255 --rsource -j KUBE-SEP-AR5TRSQMIM2F553H
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-AR5TRSQMIM2F553H
-A KUBE-SVC-NTZIAVXWXJCS7DKZ -m comment --comment "default/falkonry-hadoop:datanode" -j KUBE-SEP-KDTJFZVKN4ESIN24
-A KUBE-SVC-PJO6V2NNIUDO2DKL -m comment --comment "default/falkonry-redis:redis-cli" -j KUBE-SEP-FV6ZZ4EMBZMV4DQ5
-A KUBE-SVC-QIJ4ARI55YRJ76JG -m comment --comment "default/falkonry-spark-master:webui" -j KUBE-SEP-NGQUCFCRE45KSL73
-A KUBE-SVC-RVQUD6RAXHQPQF3I -m comment --comment "default/falkonry-connector:http" -j KUBE-SEP-QLLLKZOFDP244LAS
-A KUBE-SVC-SZGELJVIQ5IRMA57 -m comment --comment "default/falkonry-merlin:merlin-web" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-SX34LAYKH37CF5LT
-A KUBE-SVC-SZGELJVIQ5IRMA57 -m comment --comment "default/falkonry-merlin:merlin-web" -j KUBE-SEP-BIZOCAOAPTCX4WBC
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SZZ7MOWKTWUFXIJT
-A KUBE-SVC-U6PKKNLWPXOUUWIP -m comment --comment "default/falkonry-hadoop:namenode-ui" -j KUBE-SEP-HVHMJPRJS2UA65HH
-A KUBE-SVC-XGPIXF43F4GLZBG7 -m comment --comment "default/falkonry-kafka:kafka" -j KUBE-SEP-6K3WNWFYOAH5UDZ7
-A KUBE-SVC-Y4IVC7EWPWRMUFRE -m comment --comment "default/falkonry-mongo:mongo-http" -j KUBE-SEP-W4RNB3VXXTJ3LGHB
-A WEAVE -s 10.32.0.0/12 -d 224.0.0.0/4 -j RETURN
-A WEAVE ! -s 10.32.0.0/12 -d 10.32.0.0/12 -j MASQUERADE
-A WEAVE -s 10.32.0.0/12 ! -d 10.32.0.0/12 -j MASQUERADE
COMMIT
# Completed on Fri Apr 7 12:16:32 2017
# Generated by iptables-save v1.4.21 on Fri Apr 7 12:16:32 2017
*filter
:INPUT ACCEPT [741:270665]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [727:337487]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-SERVICES - [0:0]
:WEAVE-NPC - [0:0]
:WEAVE-NPC-DEFAULT - [0:0]
:WEAVE-NPC-INGRESS - [0:0]
-A INPUT -j KUBE-FIREWALL
-A INPUT -d 172.17.50.1/32 -i docker0 -p tcp -m tcp --dport 6783 -j DROP
-A INPUT -d 172.17.50.1/32 -i docker0 -p udp -m udp --dport 6783 -j DROP
-A INPUT -d 172.17.50.1/32 -i docker0 -p udp -m udp --dport 6784 -j DROP
-A INPUT -i docker0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i docker0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i docker0 -o weave -j DROP
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o weave -j WEAVE-NPC
-A FORWARD -o weave -m state --state NEW -j NFLOG --nflog-group 86
-A FORWARD -o weave -j DROP
-A FORWARD -i weave ! -o weave -j ACCEPT
-A FORWARD -o weave -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-SERVICES -d 10.111.87.193/32 -p tcp -m comment --comment "default/falkonryagent:agent-web has no endpoints" -m tcp --dport 9090 -j REJECT --reject-with icmp-port-unreachable
-A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT
-A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS
-A WEAVE-NPC-DEFAULT -m set --match-set weave-k?Z;25^M}|1s7P3|H9i;*;MhG dst -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-4vtqMI<kx/2]jD%_c0S%thO%V dst -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-iuZcey(5DeXbzgRFs8Szo]<#p dst -j ACCEPT
COMMIT
# Completed on Fri Apr 7 12:16:32 2017
Kube-proxy logs
I0406 19:42:35.453335 1 server.go:225] Using iptables Proxier.
W0406 19:42:35.559100 1 proxier.go:309] clusterCIDR not specified, unable to distinguish between internal and external traffic
I0406 19:42:35.559155 1 server.go:249] Tearing down userspace rules.
I0406 19:42:35.711702 1 conntrack.go:81] Set sysctl 'net/netfilter/nf_conntrack_max' to 524288
I0406 19:42:35.712557 1 conntrack.go:66] Setting conntrack hashsize to 131072
I0406 19:42:35.713879 1 conntrack.go:81] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_established' to 86400
I0406 19:42:35.713949 1 conntrack.go:81] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_close_wait' to 3600

How did you set up weave? There is a 1.6-specific configuration[1][2] that sets up an role and service account for running weave on clusters with RBAC enabled
[1] https://github.com/weaveworks/weave/blob/master/prog/weave-kube/weave-daemonset-k8s-1.6.yaml
[2] https://www.weave.works/weave-net-kubernetes-integration/

Access to port 80 from outside - Centos

I am redirecting requests from port 6080 to port 80:
cd /etc/httpd/conf/httpd.conf
<virtualHost *:80>
ProxyRequests off
ProxyPass / http://localhost:6080/
ProxyPassReverse / http://localhost:6080/
</VirtualHost>
and I have port 80 open :
cd /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2440:360634]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
and I checked with netstat to make sure it is listening.
When I use wget localhost:80 and I got the index.html retrieved however when I try to get the html from browser, I get:
"this webpage is not available".
How can I access to this port from outside?

This line is incorrect:
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
Port 80 is suppose to be TCP (not UDP) so change to:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Remove the line below because it is doesn't help and is covered by the rule above:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Do you really want port 6080 exposed to the outside world?If not remove
-A INPUT -p udp -m state --state NEW -m udp --dport 6080 -j ACCEPT
I should point out that removing this line probably won't hurt anything because it too was specified as using UDP and not TCP. If you did want it exposed to the outside world then you'll have to change it too. Generally when you do proxying internally behind a firewall you don't intend to expose the internal port so I would be very suspicious. If for some reason beyond my ability to understand you really do need to expose it too then you'll have to change the port 6080 line to:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6080 -j ACCEPT
I believe it should look like this:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2440:360634]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Looks like you're missing '--state NEW' on the line where you open port 80.

IPtables Centos 7 in the wrong order acording to lynis?

I got my iptables loaded in the /etc/sysconfig/iptables .
# Generated by iptables-save v1.4.21 on Tue Sep 9 18:38:38 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1312]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10101 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
COMMIT
# Completed on Tue Sep 9 18:38:38 2014
When i run Lynis to audit my server i get the following response .
- Found possible unused iptables rules (3 4 5 6 7 8 9 10 11 12 13 14) [test:FIRE-4513]
It states found "possible" unused iptables is this due to a wrong order of my iptables ?
thanks in advance for any leads .

Check out the related iptables command and see what rules apply. Then check your netstat -an output and determine if those services are running and get traffic.
If you believe there is traffic and the results stay the same, contact the author of Lynis (lynis-dev#domain)

centos iptables at windows network

I've got a machine, running Centos and it's connected to a windows network. When I try to view the network I'm getting the error "unable to connect share list from server". Once I turned iptables off everything works fine. How ca I fix this problem. My current iptables configuration is
# Generated by iptables-save v1.4.7 on Sat Nov 16 11:06:35 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:360]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 16 11:06:35 2013

You can temporary add the log rule for rejected traffic:
-A INPUT -j LOG --log-prefix "Rejected: "
before your:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
And you`ll see which traffic is rejected..

a] First log the dropped ip tables for example like this
#----------
# Logs to messages.log
#----------
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: INPUT " --log-level 4
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: OUTPUT " --log-level 4
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables denied: FORWARD " --log-level 4
b] tail dropped tables from messages
tomas#raspirarium:~ $ tail -f /var/log/messages |grep "iptables denied"
c] write ip tables rules beyond the denied rules in message.log on the fly as is the example bottom
#----------
# Windows Samba
#----------
# incoming request
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -d 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# outgoing laso handler
-A OUTPUT -o eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT