Firewall?

[CharmingNathan]

Hello all!

I have what seems to be an odd issue with the Cent O.S. Firewall.

I require Ports 25, 53, 80, 8000, 8001, and 8002 to be opened. I have checked iptables and used the system-configuration-firewall tool to configure this:

[root@nathan-desktop ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
5 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:16509
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8001
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8002
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:85
15 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

The bizarre aspect of this is that Port 80 is seen as open by Open Port Tool Checker, but NONE of the others are, and yet all the configurations above appear to be the same?

To add to the mystery (well it is to me!), my connection to the Internet is via a Fibre Optic Modem, NOT a router, so there is no internal Firewall to be configured. Should all the source/destination addresses be set to 0 above?

[avij]

Do you have anything running that listens to those ports? Check with "netstat -anp | grep 8000", for example. The external firewall testers may not be able to distinguish between "port blocked by firewall" and "nothing is running at the specified port".

Also note that if this is a residential internet connection, your ISP may block inbound connections to port 25 (SMTP) for spam prevention reasons. I don't know if this is the case for you, but that is a common configuration for residential connections in this part of the world.

[CharmingNathan]

Do you have anything running that listens to those ports? Check with "netstat -anp | grep 8000", for example. The external firewall testers may not be able to distinguish between "port blocked by firewall" and "nothing is running at the specified port".

Also note that if this is a residential internet connection, your ISP may block inbound connections to port 25 (SMTP) for spam prevention reasons. I don't know if this is the case for you, but that is a common configuration for residential connections in this part of the world.

netstat -anp | grep 8000 resulted in no output, but I have no software running on that or any of the other ports apart from (you've gussed it) Port 80! To prove the point I started D.N.S. Server (I thought it started automatically), but apparently not), and the Port Checker stated it was open, stopped it, and it was closed, re-started, and it was opened again. I am on a residential I.S.P., but on this connection, Port 25 is not blocked.

So, thank you very much avij for your rapid response and resolution to this issue, and for your help with B.I.N.D. last night. ALL very much appreciated.

P.S. I did ask you this last night, is there a G.U.I. for B.I.N.D.?

[avij]

"chkconfig named on" and the DNS server will start automatically at boot.

As far as I know, there is no CentOS-provided GUI for configuring BIND.

[Greg_E]

Webmin has been suggested to me for an interface to bind, dhcp, etc. Haven't tried it yet though as I am still in the basic configuration mode where I want to make sure everything is working, then move on to the ease of use tools.