Centos does not open port/s after the rule/s are appended

Posted by Charlie Dyason on Server Fault See other posts from Server Fault or by Charlie Dyason
Published on 2013-11-01T13:36:20Z Indexed on 2013/11/01 15:59 UTC
Read the original article Hit count: 399

Filed under:
|
|
|
|

So after some battling and struggling with the firewall, i see that I may be doing something or the firewall isnt responding correctly there is has a port filter that is blocking certain ports.

by the way, I have combed the internet, posted on forums, done almost everything and now hence the website name "serverfault", is my last resort, I need help What I hoped to achieve is create a pptp server to connect to with windows/linux clients

UPDATED @ bottom

Okay, here is what I did:

I made some changes to my iptables file, giving me endless issues and so I restored the iptables.old file

contents of iptables.old:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

after iptables.old restore(back to stock), nmap scan shows:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:54 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds

if I append rule: (to accept all tcp ports incoming to server on interface eth0)

iptables -A INPUT -i eth0 -m tcp -j ACCEPT

nmap output:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 13:58 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds

*notice it allows and opens port 443 but no other ports, and it removes port 113...?

removing previous rule and if I append rule: (allow and open port 80 incoming to server on interface eth0)

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT

nmap output:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:01 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.014s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds

*notice it removes port 443 and allows 80 but is closed

without removing previous rule and if I append rule: (allow and open port 1723 incoming to server on interface eth0)

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT

nmap output:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:05 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
113/tcp closed ident
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

*notice no change in ports opened or closed???

after removing rules:

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 1723 -j ACCEPT

nmap output:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed ident

Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds

and returning rule: (to accept all tcp ports incoming to server on interface eth0)

iptables -A INPUT -i eth0 -m tcp -j ACCEPT

nmap output:

nmap [server ip]

Starting Nmap 6.00 ( nmap.org ) at 2013-11-01 14:07 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8008/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds

notice the eth0 changes the 999 filtered ports to 858 filtered ports, 139 closed ports

QUESTION:

why cant I allow and/or open a specific port, eg. I want to allow and open port 443, it doesnt allow it, or even 1723 for pptp, why am I not able to???

sorry for the layout, the editor was give issues (aswell... sigh)

UPDATE @Madhatter comment #1

thank you madhatter

in my iptables file:

# Firewall configuration written by system-config-firewall  
# Manual customization of this file is not recommended.  
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]  
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  
-A INPUT -p icmp -j ACCEPT  
-A INPUT -i eth0 -j ACCEPT  
-A INPUT -i lo -j ACCEPT  
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT  

# ----------all rules mentioned in post where added here ONLY!!!----------  

-A INPUT -j REJECT --reject-with icmp-host-prohibited  
-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT  

if I want to allow and open port 1723 (or edit iptables to allow a pptp connection from remote pc), what changes would I make? (please bear with me, my first time working with servers, etc.)

Update MadHatter comment #2

iptables -L -n -v --line-numbers

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        9   660 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
6        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 6 packets, 840 bytes)
num   pkts bytes target     prot opt in     out     source               destination  

just on a personal note, madhatter, thank you for the support , I really appreciate it!

UPDATE MadHatter comment #3

here are the interfaces

 ifconfig

eth0      Link encap:Ethernet  HWaddr 00:1D:D8:B7:1F:DC  
          inet addr:[server ip]  Bcast:[server ip x.x.x].255  Mask:255.255.255.0
          inet6 addr: fe80::21d:d8ff:feb7:1fdc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2830372 (2.6 MiB)  TX bytes:427976 (417.9 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

remote nmap

nmap -p 1723 [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-01 16:17 SAST
Nmap scan report for server.address.net ([server ip])
Host is up (0.017s latency).
PORT     STATE    SERVICE
1723/tcp filtered pptp

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

local nmap

nmap -p 1723 localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-01 16:19 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
1723/tcp open  pptp

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

UPDATE MadHatter COMMENT POST #4

I apologize, if there might have been any confusion, i did have the rule appended: (only after 3rd post)

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

netstat -apn|grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1142/pptpd   

There are not VPN's and firewalls between the server and "me"

UPDATE MadHatter comment #5

So here is an intersting turn of events:

I booted into windows 7, created a vpn connection, went through the verfication username & pword -> checking the sstp then checking pptp (went through that very quickly which meeans there is no problem), but on teh verfication of username and pword (before registering pc on network), it got stuck, gave this error

Connection failed with error 2147943625 The remote computer refused the network connection

netstat -apn | grep -w 1723

before connecting:

netstat -apn |grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1137/pptpd

after the error came tried again:

 netstat -apn |grep -w 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      1137/pptpd
tcp        0      0 41.185.26.238:1723          41.13.212.47:49607          TIME_WAIT   -

I do not know what it means but seems like there is progress..., any thoughts???

© Server Fault or respective owner

Related posts about linux

Related posts about ssh