I am trying to open port 8140 on my CentOS Puppet Master. I have tried and exhausted every idea/instruction on the internet, still the port seems closed. Here is the iptable, please let me know if there is something wrong.
[vagrant#puppetmaster ~]$ sudo cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Aug 4 17:38:36 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:680]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Aug 4 17:38:36 2016
[vagrant#puppetmaster ~]$
I have used nmap, checked services and grep 8140, and also nestat as seen below. None of them returns any output which shows to me the port has refused to open.
[vagrant#puppetmaster ~]$ sudo netstat -anp | grep 8140
[vagrant#puppetmaster ~]$
Don't know what to do now. Any help will be very much appreciated.
Related
Here is the rule set :
#!/bin/sh
iptables-restore -v<<END
# Generated by iptables-save v1.4.21 on Mon Sep 22 17:45:30 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [2:441]
-A INPUT -p tcp --sport 80 -j ACCEPT
-A INPUT -p tcp --sport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -j LOG
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -j LOG
COMMIT
# Completed on Mon Sep 22 17:45:30 2014
END
gives :
# Generated by iptables-save v1.4.21 on Mon Sep 22 17:45:30 2014
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
# Completed on Mon Sep 22 17:45:30 2014
dropping anything iptables with iptables and still can chat on IRC. why ?
Any ideas ?
thorsten#thorstysPC ~ $ lsmod | grep ipt
iptable_filter 12810 1
ip_tables 27239 1 iptable_filter
x_tables 34059 4 ip_tables,xt_tcpudp,xt_LOG,iptable_filter
thorsten#thorstysPC ~ $
This is the list of modules. Looks like IPtables is online.
Can anyone check these on his own box ?
Edit
I misunderstood the question. That's why I deleted the original answer's text but will keep the answer unless the problem is solved because there is still an open discussion below. If it can't be solved, I'll delete this answer.
I've built a new box on our network to serve a new web application. It's a CentOS server running on a local IP address 172.25.97.25 and local hostname truleadsap01:80.
SELinux has been disabled.
This address is NAT'ed and routed up to a public domain www.foobar.co.za and public IP address x.x.x.x.
I've configured httpd correctly because when I navigate to local hostname, I see the app. However, when I use either the public domain or IP address, it doesn't load the page.
From my httpd.conf:
Listen 172.25.97.25:80
ServerName truleadsap01:80
From /etc/sysconfig/iptables:
# Completed on Tue Dec 10 18:17:02 2013
# Generated by iptables-save v1.4.7 on Tue Dec 10 18:17:02 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31:2744]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 196.15.219.218/32 -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -o eth+ -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i lo -o etho0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Tue Dec 10 18:17:02 2013
Despite following a lot of tutorials on-line and making numerous changes, I'm still not able to browse to the public domain.
UPDATE I: I checked the access log when I access the site from the public domain. I get this entry repeatedly:
172.25.121.5 - - [11/Dec/2013:10:22:22 +0200] "GET /" 302 - "-" "-"
Your help is much appreciated.
The httpd.conf you posted only shows what IP:port is should listen on and the expected ServerName:port. I'll try to answer based on some possibilities.
Check that port 80 is indeed accessible by running the following command from a remote node.
nc 172.25.97.25 80 < /dev/null
If the connection is successful you may want to check access_log and error_log to see if the server is only accepting request URL with the configured ServerName. If this is the case, you might have virtualHost configured.
Try adding the public IP address to the listen line in the httpd.conf file (I am assuming it is a static IP).
I have a home network with Linux pc's, which all had iptables running. I think it is easier to put my LAN behind a Linux gateway/firewall, so I've put a pc (with fedora,no gui) between my router and LAN and configured iptables. No problem here, INPUT only allows dns an http (and some local stuff), forwarding works fine: LAN connects to internet.
But my question is: does FORWARD allows all from the outside, or only the ports I configured with INPUT? Do FORWARD and INPUT work together or are they separate?
This is my iptables:
*nat
:PREROUTING ACCEPT [16:1336]
:INPUT ACCEPT [14:840]
:OUTPUT ACCEPT [30:2116]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o p1p1 -j MASQUERADE
COMMIT
# Completed on Tue Oct 16 09:55:31 2012
# Generated by iptables-save v1.4.14 on Tue Oct 16 09:55:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:9888]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p UDP --dport 53 -j ACCEPT
-A INPUT -p TCP --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m multiport --dports 20,21,443 -j DROP
-A INPUT -i p1p1 -p tcp --dport 5000:5100 -j DROP
-A INPUT -i p1p1 -p icmp -m icmp --icmp-type 8 -j DROP
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -j LOG --log-prefix "denied out: "
COMMIT
p1p1 (.1.x) is my external nic, p3p1 (.2.x) is internal.
RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.
Here is the chapter about FORWARD and NAT Rules. As it states:
For example, if you want to forward incoming HTTP requests to your
dedicated Apache HTTP Server at 172.31.0.23, use the following command
as the root user:
~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
Here is what happens:
your linux gateway receives a packet from your router. The packet header has:
source: x.x.x.x:y (sender IP from the internet & source port used for packet transmission)
destination: 192.168.1.1:80 (assuming your linux gateway IP on external NIC, ie p1p1)
your linux gateway applies the PREROUTING chain to find a match. Assuming that you have typed what's above, the packet matches the rule and then calls (jumps -j) to the DNAT function (Destination Network Address Translation) which changes the destination of the packet header from the initial 192.168.1.1:80 to 172.31.0.23:80.
then, the packet arrives to the Routing Decision. The packet destination is now 172.31.0.23:80.
Your linux gateway asks itself: Is it for me (192.168.1.1:80) ? No, so I won't send it to the INPUT chain.
=> I'll send it to the FORWARD chain.
since you have set the rules to FORWARD all on your local network (table filter chain FORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).
Hope it'll help to understand a little bit more how internal routing works with iptables.
INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.
If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT. If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain.
I'm trying to configure my server to allow incoming DNS queries. The default server, as setup by the hosting company, permits traffic on ports 443, 80 and 22.
I have modified the iptables file to try to permit requests on port 53, but I am not getting any response from BIND. Turning off the firewall permits the DNS request to go through, so that suggests to me that the nameserver is working correctly. The setup is CentOS 5.5.
This is the iptables file; I'd appreciate it if someone could tell me what I'm missing here in order to get this working.
Thanks in advance.
==================
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 10000 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
This line from your rules is completely wrong:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
You're saying: allow traffic from remote port 53 to local ports 1024 - 65535.
I believe DNS is listening on port 53. Try this instead (allow every TCP/UDP traffic to destination port 53):
-A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT
These lines won't do anything:
The following lines allows traffic with the protocol number 50 (ESP) and 51 (AH) (source: IANA Protocol Numbers)
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
I have just installed VMWare Server 2.0 on a fresh Fedora Core 8 install. The ports for the web access console of VMWare are 8222 and 8333 (like the defaults).
When I try a remote http access to myserver:8222 it fails. But when I run
/sbin/service iptables stop
access becomes possibles (although not very satisfactory). Thus, I have updated the conf file as follow
cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Custom authorization for VMWare administration
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8333 -j ACCEPT
COMMIT
yet, even after reloading the iptables settings it's still not working. Do anyone knows what I am doing wrong?
Your rules for VMware need to come before the REJECT entry; otherwise they'll never be reached.
A good debugging tool is to add a LOG just before your rules to verify:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Custom authorization for VMWare administration
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8222 -j LOG --log-prefix="8222 "
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8333 -j LOG --log-prefix="8333 "
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8333 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Unlike other targets, LOG returns to allow further rules to be processed. The ACCEPT and REJECT targets terminate processing.
A simple way to fix this would be to run system-config-securitylevel or system-config-securitylevel-tui and add 8222 and 8333 as trusted ports. This adds essentially the same iptables rules as you're doing manually.