Centos does not open port/s after the rule/s are appended
- by Charlie Dyason
So after some battling and struggling with the firewall, i see that I may be doing something or the firewall isnt responding correctly there is has a port filter that is blocking certain ports.
by the way, I have combed the internet, posted on forums, done almost everything and now hence the website name "serverfault", is my last resort, I need help
What I hoped to achieve is create a pptp server to connect to with windows/linux clients
UPDATED @ bottom
Okay, here is what I did:
I made some changes to my iptables file, giving me endless issues and so I restored the iptables.old file
contents of iptables.old:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
after iptables.old restore(back to stock), nmap scan shows:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:54 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds
if I append rule: (to accept all tcp ports incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:58 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds
*notice it allows and opens port 443 but no other ports, and it removes port 113...?
removing previous rule and
if I append rule: (allow and open port 80 incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:01 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds
*notice it removes port 443 and allows 80 but is closed
without removing previous rule and
if I append rule: (allow and open port 1723 incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:05 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds
*notice no change in ports opened or closed???
after removing rules:
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds
and returning rule: (to accept all tcp ports incoming to server on interface eth0)
iptables -A INPUT -i eth0 -m tcp -j ACCEPT
nmap output:
nmap [server ip]
Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds
notice the eth0 changes the 999 filtered ports to 858 filtered ports, 139 closed ports
QUESTION:
why cant I allow and/or open a specific port, eg. I want to allow and open port 443, it doesnt allow it, or even 1723 for pptp, why am I not able to???
sorry for the layout, the editor was give issues (aswell... sigh)
UPDATE @Madhatter comment #1
thank you madhatter
in my iptables file:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# ----------all rules mentioned in post where added here ONLY!!!----------
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
if I want to allow and open port 1723 (or edit iptables to allow a pptp connection from remote pc), what changes would I make? (please bear with me, my first time working with servers, etc.)
Update MadHatter comment #2
iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 9 660 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 6 packets, 840 bytes)
num pkts bytes target prot opt in out source destination
just on a personal note, madhatter, thank you for the support , I really appreciate it!
UPDATE MadHatter comment #3
here are the interfaces
ifconfig
eth0 Link encap:Ethernet HWaddr 00:1D:D8:B7:1F:DC
inet addr:[server ip] Bcast:[server ip x.x.x].255 Mask:255.255.255.0
inet6 addr: fe80::21d:d8ff:feb7:1fdc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:36692 errors:0 dropped:0 overruns:0 frame:0
TX packets:4247 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2830372 (2.6 MiB) TX bytes:427976 (417.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
remote nmap
nmap -p 1723 [server ip]
Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-01 16:17 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
PORT STATE SERVICE
1723/tcp filtered pptp
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
local nmap
nmap -p 1723 localhost
Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-01 16:19 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
1723/tcp open pptp
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
UPDATE MadHatter COMMENT POST #4
I apologize, if there might have been any confusion, i did have the rule appended: (only after 3rd post)
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
netstat -apn|grep -w 1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 1142/pptpd
There are not VPN's and firewalls between the server and "me"
UPDATE MadHatter comment #5
So here is an intersting turn of events:
I booted into windows 7, created a vpn connection, went through the verfication username & pword - checking the sstp then checking pptp (went through that very quickly which meeans there is no problem), but on teh verfication of username and pword (before registering pc on network), it got stuck, gave this error
Connection failed with error 2147943625
The remote computer refused the network connection
netstat -apn | grep -w 1723
before connecting:
netstat -apn |grep -w 1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 1137/pptpd
after the error came tried again:
netstat -apn |grep -w 1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 1137/pptpd
tcp 0 0 41.185.26.238:1723 41.13.212.47:49607 TIME_WAIT -
I do not know what it means but seems like there is progress..., any thoughts???
