I have the following iptable rules and need help removing it if possible?
iptables -t nat -I PREROUTING -p tcp --dport 12348 -j DNAT --to-destination 192.168.0.5:12348
iptables -t nat -I PREROUTING -p tcp --dport 7778 -j DNAT --to-destination 192.168.0.5:7778
i know -D stands for delete rule but i cant figure out where in my command im meant to put it,
Cheers in advance
Updated ==>
Output of iptables -L -t nat:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:interwise to:192.168.0.5:7778
DNAT tcp -- anywhere anywhere tcp dpt:12348 to:192.168.0.5:12348
DNAT tcp -- anywhere anywhere tcp dpt:7772 to:192.168.0.5:7772
DNAT tcp -- anywhere anywhere tcp dpt:12342 to:192.168.0.5:12342
DNAT tcp -- anywhere anywhere tcp dpt:interwise to:192.168.0.5:7778
DNAT tcp -- anywhere anywhere tcp dpt:12348 to:192.168.0.5:12348
DNAT tcp -- anywhere anywhere tcp dpt:12348 to:192.168.0.5:12348
DNAT tcp -- anywhere anywhere tcp dpt:12342 to:192.168.0.5:12342
DNAT tcp -- anywhere anywhere tcp dpt:7772 to:192.168.0.5:7772
DNAT tcp -- anywhere anywhere tcp dpt:interwise to:192.168.0.5:7778
DNAT tcp -- anywhere anywhere tcp dpt:vstat to:192.168.0.5:7779
DNAT tcp -- anywhere anywhere tcp dpt:12349 to:192.168.0.5:12349
DNAT tcp -- anywhere anywhere tcp dpt:imtc-map to:192.168.0.2:22
DNAT tcp -- anywhere anywhere tcp dpt:b2-runtime to:192.168.0.3:22
DNAT tcp -- anywhere anywhere tcp dpt:b2-license to:192.168.0.4:22
DNAT tcp -- anywhere anywhere tcp dpt:jps to:192.168.0.5:22
DNAT tcp -- anywhere anywhere tcp dpt:hpocbus to:192.168.0.6:22
DNAT tcp -- anywhere anywhere tcp dpt:hpssd to:192.168.0.7:22
DNAT tcp -- anywhere anywhere tcp dpt:hpiod to:192.168.0.8:22
DNAT tcp -- anywhere anywhere tcp dpt:rimf-ps to:192.168.0.9:22
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.0.6:80
DNAT tcp -- anywhere anywhere tcp dpt:ica to:192.168.0.6:1494
DNAT tcp -- anywhere anywhere tcp dpt:shell to:192.168.0.2:514
DNAT tcp -- anywhere anywhere tcp dpt:avt-profile-2 to:192.168.0.5:5005
DNAT tcp -- anywhere anywhere tcp dpt:wsm-server to:192.168.0.5:5006
DNAT tcp -- anywhere anywhere tcp dpt:wsm-server-ssl to:192.168.0.5:5007
DNAT tcp -- anywhere anywhere tcp dpt:synapsis-edge to:192.168.0.5:5008
DNAT tcp -- anywhere anywhere tcp dpt:winfs to:192.168.0.5:5009
DNAT tcp -- anywhere anywhere tcp dpt:telelpathstart to:192.168.0.5:5010
DNAT tcp -- anywhere anywhere tcp dpt:50000 to:192.168.0.5:50000
DNAT tcp -- anywhere anywhere tcp dpt:50005 to:192.168.0.5:50005
DNAT tcp -- anywhere anywhere tcp dpt:50009 to:192.168.0.5:50009
DNAT tcp -- anywhere anywhere tcp dpt:50010 to:192.168.0.5:50010
DNAT tcp -- anywhere anywhere tcp dpt:50011 to:192.168.0.5:50011
DNAT tcp -- anywhere anywhere tcp dpt:50012 to:192.168.0.5:50012
DNAT tcp -- anywhere anywhere tcp dpt:50013 to:192.168.0.5:50013
DNAT tcp -- anywhere anywhere tcp dpt:50014 to:192.168.0.5:50014
DNAT tcp -- anywhere anywhere tcp dpt:50184 to:192.168.0.5:50184
DNAT tcp -- anywhere anywhere tcp dpt:50185 to:192.168.0.5:50185
DNAT tcp -- anywhere anywhere tcp dpt:50186 to:192.168.0.5:50186
DNAT tcp -- anywhere anywhere tcp dpt:50187 to:192.168.0.5:50187
DNAT tcp -- anywhere anywhere tcp dpt:50188 to:192.168.0.5:50188
DNAT tcp -- anywhere anywhere tcp dpt:50189 to:192.168.0.5:50189
DNAT tcp -- anywhere anywhere tcp dpt:50000 to:192.168.0.5:50000
DNAT tcp -- anywhere anywhere tcp dpt:50005 to:192.168.0.5:50005
DNAT tcp -- anywhere anywhere tcp dpt:50009 to:192.168.0.5:50009
DNAT tcp -- anywhere anywhere tcp dpts:50010:50014 to:192.168.0.5:50010-50014
DNAT tcp -- anywhere anywhere tcp dpts:50184:50189 to:192.168.0.5:50184-50189
DNAT tcp -- anywhere anywhere tcp dpt:binderysupport to:192.168.0.2:23
DNAT tcp -- anywhere anywhere tcp dpt:proxy-gateway to:192.168.0.3:23
DNAT tcp -- anywhere anywhere tcp dpt:attachmate-uts to:192.168.0.4:23
DNAT tcp -- anywhere anywhere tcp dpt:mt-scaleserver to:192.168.0.5:23
DNAT tcp -- anywhere anywhere tcp dpt:tappi-boxnet to:192.168.0.6:23
DNAT tcp -- anywhere anywhere tcp dpts:checkoutdb:5510 to:192.168.0.5:5505-5510
DNAT tcp -- anywhere anywhere tcp dpt:gotodevice to:192.168.0.17:22
DNAT tcp -- anywhere anywhere tcp dpt:foliocorp to:192.168.0.42:22
DNAT tcp -- anywhere anywhere tcp dpt:magicom to:192.168.0.43:22
DNAT tcp -- anywhere anywhere tcp dpt:nmsserver to:192.168.0.44:22
DNAT tcp -- anywhere anywhere tcp dpt:hao to:192.168.0.45:22
DNAT tcp -- anywhere anywhere tcp dpt:pc-mta-addrmap to:192.168.0.46:22
DNAT tcp -- anywhere anywhere tcp dpt:antidotemgrsvr to:192.168.0.47:22
DNAT tcp -- anywhere anywhere tcp dpt:remote-collab to:192.168.0.50:22
DNAT tcp -- anywhere anywhere tcp dpt:dif-port to:192.168.0.51:22
DNAT tcp -- anywhere anywhere tcp dpt:lnvalarm to:192.168.0.82:22
Using iptables -F PREROUNTING you can delete all rules for chain PREROUNTING.
Using iptables -D PREROUTING 1 you can delete a single first rule from chain PREROUTING. So to delete above two rules you will have to use the same command twice.
Use iptables -t nat -D PREROUTING -p tcp --dport 12348 -j DNAT --to-destination 192.168.0.5:12348 and iptables -t nat -D PREROUTING -p tcp --dport 7778 -j DNAT --to-destination 192.168.0.5:7778 to delete these two specific rules.
Just replacing -I with -D.
Related
I am trying to host my Spring Boot application on Arvixe's VPS Lite. No CPanel, just command line.
When I spin up my Spring Boot app and navigate to the server's IP address, I see the ERR_CONNECTION_REFUSED error.
Here is my iptables configuration. I followed the steps found here http://crm.vpscheap.net/knowledgebase.php?action=displayarticle&id=29
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-A INPUT -j DROP
COMMIT
Here are the policies that the above creates
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain
In your iptables config you are opening up ports 80 and 443 but spring-boot applications are starting on port 8080 per default. So you have two options:
Start the app listing on port 80 by adding --server.port=80 to the start up params or set server.port=80 in the application.properties. This will work but you'll have to start the app as root since it trying to bind to a well known port. I wouldn't recommend this.
Use iptables to redirect the external port 80 to be forwarded internally to port 8080 by adding a line like the following to your iptables config
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
I set apache in puppy linux and can see files in localhost.However,when I opened port80 and tried to connect apache from iphone but it failed. I could see just a white page.Maybe it wassn't 404 because it didn't show 404 error.(before I opened the port, i saw 404.)
I have configured apache.conf to Allow from all.
The access log and error logs showed nothing.
this is iptables-L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:finger
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:auth
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:443
ACCEPT udp -- anywhere anywhere state NEW udp dpt:syslog
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:printer
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:993
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:995
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT udp -- anywhere anywhere state NEW udp dpt:www
A CCEPT all -- anywhere anywhere state NEW
TRUSTED all -- anywhere anywhere state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
Chain TRUSTED (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port- unreachable
Netstat
tcp 0 0 192.168.100.100:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
How do i solve this problem?
tcp 0 0 192.168.100.100:80
The problem is right here. The server is listening at a specific, local, IP address, rather than 0.0.0.0.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have 5 computers which we will label as such:
Ubuntu 13.10 Desktop --> U13.10
Ubuntu 11.10 Desktop --> U11.10
Raspberry Pi Raspbian --> R1
Raspberry Pi Raspbian --> R2
Raspberry Pi Raspbian --> R3
I have NFS shares set up like so:
U13.10 (192.168.7.1)
exporting to U11.10
U11.10 (192.168.7.10)
importing from U13.10
importing from R1 (FAILS)
importing from R2
importing from R3 (FAILS)
exporting to R1
exporting to R2
exporting to R3
R1 (192.168.7.104)
importing from U11.10
exporting to U11.10
R2 (192.168.7.105)
importing from U11.10
exporting to U11.10
R3 (192.168.7.106)
importing from U11.10
exporting to U11.10
Finally here is the output of my iptables on the server (U13.10) acting as a router:
U13.10$ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:32803
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:892
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:892
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:875
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:875
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:662
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:662
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10001
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10001
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10002
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10002
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10003
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10003
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10004
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10004
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10005
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10005
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10006
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10006
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10007
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10007
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10008
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10008
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10009
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:10009
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10002
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10002
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10003
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10003
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10004
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10004
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10005
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10005
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10006
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10006
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10007
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10007
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10008
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10008
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10009
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10009
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:6000
ACCEPT udp -- 0.0.0.0/0 192.168.7.11 udp dpt:6001
ACCEPT udp -- 0.0.0.0/0 192.168.7.12 udp dpt:6002
ACCEPT udp -- 0.0.0.0/0 192.168.7.13 udp dpt:6003
ACCEPT udp -- 0.0.0.0/0 192.168.7.14 udp dpt:6004
ACCEPT udp -- 0.0.0.0/0 192.168.7.15 udp dpt:6005
ACCEPT udp -- 0.0.0.0/0 192.168.7.16 udp dpt:6006
ACCEPT udp -- 0.0.0.0/0 192.168.7.17 udp dpt:6007
ACCEPT udp -- 0.0.0.0/0 192.168.7.18 udp dpt:6008
ACCEPT udp -- 0.0.0.0/0 192.168.7.19 udp dpt:6009
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:6000
ACCEPT tcp -- 0.0.0.0/0 192.168.7.11 tcp dpt:6001
ACCEPT tcp -- 0.0.0.0/0 192.168.7.12 tcp dpt:6002
ACCEPT tcp -- 0.0.0.0/0 192.168.7.13 tcp dpt:6003
ACCEPT tcp -- 0.0.0.0/0 192.168.7.14 tcp dpt:6004
ACCEPT tcp -- 0.0.0.0/0 192.168.7.15 tcp dpt:6005
ACCEPT tcp -- 0.0.0.0/0 192.168.7.16 tcp dpt:6006
ACCEPT tcp -- 0.0.0.0/0 192.168.7.17 tcp dpt:6007
ACCEPT tcp -- 0.0.0.0/0 192.168.7.18 tcp dpt:6008
ACCEPT tcp -- 0.0.0.0/0 192.168.7.19 tcp dpt:6009
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7000
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7001
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7002
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7003
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7004
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7005
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7006
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7007
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7008
ACCEPT udp -- 0.0.0.0/0 192.168.7.10 udp dpt:7009
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7000
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7001
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7002
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7003
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7004
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7005
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7006
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7007
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7008
ACCEPT tcp -- 0.0.0.0/0 192.168.7.10 tcp dpt:7009
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
As indicated above, I fail to mount from either R1 or R3. Observe the following output as well, as I think it may be helpful:
U11.10$ rpcinfo -p R1
rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused
U11.10$ showmount -e R1
clnt_create: RPC: Port mapper failure - Unable to receive: errno 111 (Connection refused)
U11.10$ rpcinfo -p R2
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 39036 status
100024 1 tcp 35998 status
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049
100227 3 tcp 2049
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049
100227 3 udp 2049
100021 1 udp 55799 nlockmgr
100021 3 udp 55799 nlockmgr
100021 4 udp 55799 nlockmgr
100021 1 tcp 50119 nlockmgr
100021 3 tcp 50119 nlockmgr
100021 4 tcp 50119 nlockmgr
100005 1 udp 49361 mountd
100005 1 tcp 48407 mountd
100005 2 udp 37991 mountd
100005 2 tcp 47634 mountd
100005 3 udp 41386 mountd
100005 3 tcp 35740 mountd
U11.10$ showmount -e R2
Export list for R2:
/ U11.10
U11.10$ rpcinfo -p R3
rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused
U11.10$ showmount -e R3
clnt_create: RPC: Port mapper failure - Unable to receive: errno 111 (Connection refused)
I can ping R1-R3 from U11.10, and as alluded to earlier I can mount onto R1 and R3 from U11.10. I suspect there is something wrong with my iptables, I just can't figure out why it would let one raspi through, but not the other two.
Better ask that on serverfault than on stackoverflow. But to make it short, if i were you, i'd drop ALL my iptables rules first, then check if it works. When you have everything running, check netstat -nap on U11.10 to make sure each process is using the ports you expect it to. Then, re-enable your iptables one by one.
Also, when you try something like the rpcinfo that doesn't work, you might want to have a tcpdump running on your U11.10, and examine the result with wireshark. This gives you an idea if packets are sent, received, and which ports are used, as well.
This is my iptables config:
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
859 103K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
5 260 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
3 230 ACCEPT tcp -- any any anywhere anywhere tcp dpt:27017
4 208 ACCEPT tcp -- any any anywhere anywhere tcp dpt:28017
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
64 3844 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
If I write in browser the ip if my mongodb server with port 28017, I can see a promt to enter username and password:
#ip mongodb server
000.000.000.000:28017
I want close mongodb ports to anyone except to these 2 ips:
111.111.111.111
222.222.222.222
How can I do it?
Can you try the following iptables rules
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT
Looks like you forgot to put in the source IP flag.
I have removed of my iptables these two line:
-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT
and now it's not possible access to mongdb ports from any ip.
Thanks
The rules I use for limiting external access to mongo are:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- localhost anywhere tcp dpt:27017
ACCEPT tcp -- localhost anywhere tcp dpt:28017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:27017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:27017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:28017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:28017
DROP tcp -- anywhere anywhere tcp dpt:27017
DROP tcp -- anywhere anywhere tcp dpt:28017
You can add them with
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP
I'm struggling to understand why I can't open port 61616 by adding IPTABLES rule. Here is the listing of all rules, obtained via IPTABLES -L command.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:61616
ACCEPT udp -- anywhere anywhere udp dpt:cslistener
ACCEPT tcp -- anywhere anywhere tcp dpt:cslistener
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:61616
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
As much as I'm ignorant about IPTABLES, what confuses me is that http port is visible from the outside, yet port 61616 still isn't. For me, the rules look the same. Anyways, all help's appreciated.
Best
Maybe you try to open port for host in the network behind the CentOS host (CentOS host is firewall for network)?
If so, you must add rule for chain FORWARD of table filter, and you should
add rule for DNAT to some IP in network x.x.x.x
iptables -A FORWARD -p tcp --dport 61616 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 61616 -j DNAT --to-destinanion x.x.x.x