Unable to log in to the UI: IP Tables are being used to redirect ports
search cancel

Unable to log in to the UI: IP Tables are being used to redirect ports

book

Article ID: 159803

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Upon startup of the Enforce server, it is not possible to login to the UI. There is no spinning or waiting (hourglass); the Web site is not available.

Resolution

IP tables are used to redirect ports below 1023 to the Symantec DLP environment. This is due to the restrictions that non-root processes cannot hold onto the lower ports. IP tables are a usually in place to reroute the ports. In our case, the IP tables redirect the https port to 8443. 


Test whether the  Symantec DLP application is running by logging in through https://<machine>:8443.

If there is a problem logging into the port, the IP tables are either not running or setup incorrectly. The System Administrator usually modifies or maintains the tables. 

The following example shows how  Symantec DLP has configured the IP tables on one of our reference systems.

The following configuration is done from within the /etc/sysconfig directory:

[root@machine sysconfig]# cat iptables
# Generated by iptables-save v1.2.11 on Tue Jan 23 15:20:40 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
# Completed on Tue Jan 23 15:20:40 2007
# Generated by iptables-save v1.2.11 on Tue Jan 23 15:20:40 2007
*filter
:INPUT ACCEPT [14166:2707803]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13531:5682531]
:Vontu-INPUT - [0:0]
-A INPUT -p tcp -j Vontu-INPUT
-A Vontu-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A Vontu-INPUT -p tcp -m tcp --dport 1025:65535 -j ACCEPT
COMMIT
# Completed on Tue Jan 23 15:20:40 2007
[root@machine sysconfig]#

If the /etc/sysconfig file is indeed incorrect, an update is in order, in addition to reloading the configuration through the following commands:

[root@machine sysconfig]# /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter nat [ OK ]
Unloading iptables modules: [ OK ]

[root@machine sysconfig]# /etc/init.d/iptables start
Applying iptables firewall rules: [ OK ]

If the IP tables are correctly setup, but not started, start them with the command, /etc/init.d/iptables start.


Powered by Wolken Software