Centos does not open port/s after the rule/s are appended
- by Charlie Dyason
So after some battling and struggling with the firewall, i see that I may be doing something or the firewall isnt responding correctly there is has a port filter that is blocking certain ports.
by the way, I have combed the internet, posted on forums, done almost everything and now hence the website name "serverfault", is my last resort, I need help
What I hoped to achieve is create a pptp server to connect to with windows/linux clients
UPDATED @ bottom
Okay, here is what I did:
I made some changes to my iptables file, giving me endless issues and so I restored the iptables.old file
contents of iptables.old:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
after iptables.old restore(back to stock), nmap scan shows:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:54 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds
if I append rule: (to accept all tcp ports incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:58 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds
*notice it allows and opens port 443 but no other ports, and it removes port 113...?
removing previous rule and
if I append rule: (allow and open port 80 incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:01 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds
*notice it removes port 443 and allows 80 but is closed
without removing previous rule and
if I append rule: (allow and open port 1723 incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:05 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds
*notice no change in ports opened or closed???
after removing rules:
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds
and returning rule: (to accept all tcp ports incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds
notice the eth0 changes the 999 filtered ports to 858 filtered ports, 139 closed ports
QUESTION:
why cant I allow and/or open a specific port, eg. I want to allow and open port 443, it doesnt allow it, or even 1723 for pptp, why am I not able to???
sorry for the layout, the editor was give issues (aswell... sigh)
UPDATE @Madhatter comment #1
thank you madhatter
in my iptables file:  
# Firewall configuration written by system-config-firewall  
# Manual customization of this file is not recommended.  
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]  
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  
-A INPUT -p icmp -j ACCEPT  
-A INPUT -i eth0 -j ACCEPT  
-A INPUT -i lo -j ACCEPT  
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT  
# ----------all rules mentioned in post where added here ONLY!!!----------  
-A INPUT -j REJECT --reject-with icmp-host-prohibited  
-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT  
if I want to allow and open port 1723 (or edit iptables to allow a pptp connection from remote pc), what changes would I make? (please bear with me, my first time working with servers, etc.)
Update MadHatter comment #2
iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        9   660 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
6        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain OUTPUT (policy ACCEPT 6 packets, 840 bytes)
num   pkts bytes target     prot opt in     out     source               destination  
just on a personal note, madhatter, thank you for the support , I really appreciate it!
UPDATE MadHatter comment #3
here are the interfaces
 ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1D:D8:B7:1F:DC  
          inet addr:[server ip]  Bcast:[server ip x.x.x].255  Mask:255.255.255.0
          inet6 addr: fe80::21d:d8ff:feb7:1fdc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2830372 (2.6 MiB)  TX bytes:427976 (417.9 KiB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
remote nmap
nmap -p 1723 [server ip]
Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-01 16:17 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
PORT     STATE    SERVICE
1723/tcp filtered pptp
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
local nmap
nmap -p 1723 localhost
Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-01 16:19 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
1723/tcp open  pptp
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
UPDATE MadHatter COMMENT POST #4
I apologize, if there might have been any confusion, i did have the rule appended: (only after 3rd post)
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
netstat -apn|grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1142/pptpd   
There are not VPN's and firewalls between the server and "me"
UPDATE MadHatter comment #5
So here is an intersting turn of events:
I booted into windows 7, created a vpn connection, went through the verfication username & pword - checking the sstp then checking pptp (went through that very quickly which meeans there is no problem), but on teh verfication of username and pword (before registering pc on network), it got stuck, gave this error
Connection failed with error 2147943625
The remote computer refused the network connection
netstat -apn | grep -w  1723
before connecting:
netstat -apn |grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1137/pptpd
after the error came tried again:
 netstat -apn |grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1137/pptpd
tcp        0      0 41.185.26.238:1723          41.13.212.47:49607          TIME_WAIT   -
I do not know what it means but seems like there is progress..., any thoughts???