http://docwiki.cisco.com/w/index.php?title=IPTables_(firewall)&feed=atom&action=historyIPTables (firewall) - Revision history2013-05-22T01:59:10ZRevision history for this page on the wikiMediaWiki 1.16.0http://docwiki.cisco.com/w/index.php?title=IPTables_(firewall)&diff=41089&oldid=prevCchetty: 1 revision2011-06-07T05:40:38Z<p>1 revision</p>
<table style="background-color: white; color:black;">
<tr valign='top'>
<td colspan='1' style="background-color: white; color:black;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black;">Revision as of 05:40, 7 June 2011</td>
</tr></table>Cchettyhttp://docwiki.cisco.com/w/index.php?title=IPTables_(firewall)&diff=41088&oldid=prevAmde at 07:21, 6 June 20112011-06-06T07:21:09Z<p></p>
<p><b>New page</b></p><div>'''Indication:''' <br />
Traffic/communication issue on a specific port.<br />
<br />
'''Problem:'''<br />
Firewall could be blocking port.<br />
<br />
First step is to verify the port information is shown (using CLI or GUI) and that its status is correct. Information about IPTables (firewall) could be obtained through following ways:-<br />
<br />
''GUI''<br />
Cisco Unified OS Administration<br />
Show->IP Preferences<br />
''CLI'' <br />
show network ipprefs<br />
show network ipprefs all<br />
show network ipprefs enabled<br />
show network ipprefs public<br />
<br />
Next, verify the port is shown in the firewall rules. Use the CLI command “utils firewall list”. Note, if the port is not shown in the list it is being blocked. <br />
You can verify ports are being blocked by the firewall by turning on the debug mode in the firewall. Use the CLI command “utils firewall debug”. This will cause iptables to log every packet it blocks.<br />
<br />
There are logs that detail when changes to the firewall or changes to the port information occur:<br />
<br />
syslog/messages – iptables log <br />
<br />
syslog/secure – will show changes to port information (such as when a port is enabled/disabled).<br />
<br />
Note, the syslog logs are available via RTMT. Same can also be obtained via CLI, following are the commands:-<br />
file get activelog syslog/messages<br />
file get activelog syslog/secure<br />
<br />
Note, we throttle the log messages going into the log. So, if there are lots of packets getting blocked, we might not log all instances.<br />
Example from syslog messages log:<br />
Aug 4 10:32:23 bldr-ccm23 kern 4 kernel: dropped packet IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:20:6c:a0:c5:08:00 SRC=10.94.150.77 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=308<br />
Aug 4 10:32:25 bldr-ccm23 kern 4 kernel: dropped packet IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:7f:b4:3f:52:08:00 SRC=10.94.150.72 DST=10.94.150.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=57931 PROTO=UDP SPT=137 DPT=137 LEN=58<br />
<br />
As a last resort you can temporarily disable the firewall by using the CLI command “utils firewall disable”.<br />
Note, both the disable and debug mode of the firewall will automatically revert back after a default of 5 minutes. This time can be extended to a maximum of 24 hours.<br />
<br />
<br />
[[Category:Unified_CCX,_Release_8.0]] [[Category:Unified_CCX,_Release_8.5]]</div>Amde