Problems with disabled firewalld and installed iptables

Issues related to configuring your network
Post Reply
kiken
Posts: 3
Joined: 2014/05/20 02:35:55

Problems with disabled firewalld and installed iptables

Post by kiken » 2015/04/16 05:26:22

As the titles says, I have a Centos 7 installation on a VPS, I've disabled firewalld and installed iptables... My config is the following:

Code: Select all

sudo cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Thu Apr 16 02:07:43 2015
*security
:INPUT ACCEPT [891:82014]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [818:247489]
COMMIT
# Completed on Thu Apr 16 02:07:43 2015
# Generated by iptables-save v1.4.21 on Thu Apr 16 02:07:43 2015
*raw
:PREROUTING ACCEPT [906:82798]
:OUTPUT ACCEPT [818:247489]
COMMIT
# Completed on Thu Apr 16 02:07:43 2015
# Generated by iptables-save v1.4.21 on Thu Apr 16 02:07:43 2015
*nat
:PREROUTING ACCEPT [40:2120]
:INPUT ACCEPT [25:1336]
:OUTPUT ACCEPT [20:1472]
:POSTROUTING ACCEPT [20:1472]
COMMIT
# Completed on Thu Apr 16 02:07:43 2015
# Generated by iptables-save v1.4.21 on Thu Apr 16 02:07:43 2015
*mangle
:PREROUTING ACCEPT [906:82798]
:INPUT ACCEPT [906:82798]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [818:247489]
:POSTROUTING ACCEPT [818:247489]
COMMIT
# Completed on Thu Apr 16 02:07:43 2015
# Generated by iptables-save v1.4.21 on Thu Apr 16 02:07:43 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport 2222 -j f2b-SSH
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
-A f2b-SSH -j RETURN
COMMIT
# Completed on Thu Apr 16 02:07:43 2015
And my iptables -L looks like this:

Code: Select all

 sudo iptables -L
[sudo] password for kiken:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:EtherNet/IP-1
f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:EtherNet/IP-1
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:EtherNet/IP-1
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain f2b-SSH (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
The problem is that only ssh on port 2222 is working but port 80 and 443 appear to be blocked and even tough I'm letting pings it they don't work...

What am I doing wrong here?
Top
certdepot
Posts: 11
Joined: 2013/11/18 13:26:44

Re: Problems with disabled firewalld and installed iptables

Post by certdepot » 2015/04/16 09:15:41

Except if you disabled SELinux, you have to deal with SELinux port labelling (http://www.certdepot.net/rhel7-use-seli ... labelling/).
This could perfectly explained why only ssh on port 2222 is working but ports 80 and 443 appear to be blocked.
Ports tcp 80 and 443 are reserved by httpd when port tcp 2222 is free.

Code: Select all

# sepolicy network -p 80
80: tcp http_port_t 80
80: udp reserved_port_t 1-511
80: tcp reserved_port_t 1-511

# sepolicy network -p 443
443: udp reserved_port_t 1-511
443: tcp reserved_port_t 1-511
443: tcp http_port_t 443

# sepolicy network -p 2222
2222: tcp unreserved_port_t 1024-32767
2222: udp unreserved_port_t 1024-32767
You will have to modify the labels of ports 80 and 443 and create a new one for port 2222:

Code: Select all

# yum install setroubleshoot-server
# semanage port -m -t ssh_port_t -p tcp 80
# semanage port -m -t ssh_port_t -p tcp 443
# semanage port -a -t ssh_port_t -p tcp 2222
Try this and let us know.
Top
User avatar
TrevorH
Site Admin
Posts: 33218
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Problems with disabled firewalld and installed iptables

Post by TrevorH » 2015/04/16 10:23:53

You're assuming that the OP doesn't just want to use ports 80 & 443 for their intended purpose with httpd! They don't say they want to use them for ssh.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
kiken
Posts: 3
Joined: 2014/05/20 02:35:55

Re: Problems with disabled firewalld and installed iptables

Post by kiken » 2015/04/17 01:37:00

I have selinux disabled...

Code: Select all

sestatus
SELinux status:                 disabled
That shoudn't be a problem right?
Top
Post Reply

Return to “CentOS 7 - Networking Support”