Red Hat 7.3 firewall settings?

[safra]

Hi,

I asked this question on another linux board but no positive results after several posts.

This is the problem:

I am experimenting with a perl socket server. Locally everything works fine but I can not get access to the socket server from a remote system. I do get access to the html page with the embedded multi user application.

I think this has to do with a firewall security issue.

if I do:
nmap -sS -O localhost

the port I am using for the socket server is not on the list with open ports.

How can I open this specific port for all tcp traffic?

Others advised me to install firestarter, but this doesnot allow to open ports. Then they referred me to the files 'firewall.sh' and 'allow-all' but I have no idea what to put in those files.

Can anyone here guide me on how to open a port?

Thanks you,
Ron

 

[flawless69]

What firewall are you running? (iptables or ipchains)? --Derek

"Fear not the storm for this is where we grow strong."

 

[safra]

I did:

chkconfig --list

it returns: ipchains and firestarter

to move to iptables,

I tried:
chkconfig ipchains off
chkconfig firestarter off

and then:
rmmod ipchains

which returns:
ipchains: device or resource busy

and
insmod ip_tables

which gave me some error messages

Are my commands correct?

To open the port through iptables I wanted to try:

iptables -A INPUT -p tcp -i eth0 -dport 9000 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -dport 9000 -j ACCEPT

Thanks,
Ron

 

[LarryTheCucumber]

Use

/etc/init.d/ipchains stop
rmmod ipchains
chkconfig iptables start
/etc/init.d/iptables start

if you need to restart iptables

.etc/init.d/iptables restart

 

[safra]

Thanks Larry!

Am I right that after,

/etc/init.d/ipchains stop
rmmod ipchains

there is no protection running at all?

nmap -sS -O localhost
still only shows around 6 open ports and not the one I am trying to use. Does "nmap -sS -O localhost" show all open ports or is it possible that other ports are also open.

What I am trying to do now is first get rid of all security (this is no problem as I am on at testing system) to be sure that all ports are open so the server can receive and send data back through the open port. If I still can't connect from a remote machine then I am at least sure the reason why I can't connect to the socket server remotely is not a security issue.

Could it be a problem with firestarter?

I tried:
firestarter stop

this returned some errors among which
GnomeUI warnings and 'firewall script restarted'

How can I remove firestarter completely as it doesn't seem to help me with this.

One other thing to eliminate any other possible problem:

http://localhost/socket_server.html

everything works.

http://my.ip.here/socket_server.html

flash movie loads but connection with socket is NOT made

if the port I am using is open, should the second url then work as well from the local system?

Thanks,
Ron

 

[flawless69]

For the nmap question, it could be that it is only checking the first 1024 ports. I can't remember for sure but I think that is how nmap works on default without specifying a port range (i.e. 0-32767). --Derek

"Fear not the storm for this is where we grow strong."

 

[LarryTheCucumber]

I was wrong on the chkconfig iptables

chkconfig iptables on (runlevel)

You could use

/etc/init.d/iptables stop

rmmod iptables

this should remove the fw protection ( For testing only!).

I use firestarter for simple firewalls
and firewall builder for complex firewalls.
Read the REQ and tutorial first if you decide to use it.
If so, then create the specific ports you wish to have open.

Use netstat to find which ports are listening.

 

[safra]

Thanks guys,

flawless69:

it says, "interesting ports on localhost". This made me think that perhaps there are more ports open. port 6000 is listed as well so it is checking above 1024 too.

Larry:

I will try the iptables later on, first I like to figure out why this socket connection isn't working.

I tried:
netstat -a
the port I am using is on the list in 'listen' mode. Does this mean that the port is open and can be accessed remotely or is this not necessarily the case and is it only listed because of the perl script.

But when I try:
netstat -t (which, according to some information I found, should list all tcp sockets).

nothing appears but 'active internet connection (w/o servers)' and some headers. Or does 'netstat -t' only show details about actual data transfers that have passed tcp sockets and not the state of the sockets?

Meanwhile, accessing the socket server through '

http://localhost/socket_server.html'

now doesn't work either! In the browser a dialog box appears, saying 'connect: connection refused'.

What could I possibly have done, that makes accessing the socket server through 'localhost' failing too now??

Ron

 

[safra]

I re-installed linux and managed to stop ipchains and start iptables.

to open port 9000, I tried:
iptables -A INPUT -p tcp -i eth0 -dport 9000 -j ACCEPT

which returned:
Bad argument '9000'

is this an error in the command or something else?

Thanks,
Ron

 

[LarryTheCucumber]

At a prompt type
iptables -L and please post the results.

 

[LarryTheCucumber]

Try this

iptables -A INPUT -p tcp -i eth0 --dport 9000 -j ACCEPT

Note: two dashes in from of dport

 

[safra]

iptables -L returns:

chain INPUT (policy ACCEPT)
target prot opt source destination

chain FORWARD (policy ACCEPT)
target prot opt source destination

chain OUTPUT (policy ACCEPT)
target prot opt source destination


I tried:
iptables -A INPUT -p tcp -i eth0 --dport 9000 -j ACCEPT

this time it did not return an error but I tested the port at one of the online web sites that test your ports and it still gave a CLOSED on the specific port!

Is there a command that checks if a specific port is open?

Thanks
Ron

 

[LarryTheCucumber]

By those rules the default policy is to accept all connections. Use netstat -a verify that port is listening.
Try telnet (address) 9000 And post what that displays.

If it is not available you should get

Could not open a connection to host on port 9000

If it is the firewall it will/might give you

Connection to host lost.

This is using W2K telnet.

This might not work since I'm not sure how your script opens the socket.

 

[safra]

Not sure if this is relevant but here is how the connection is made through the perl file:

$main = new IO::Socket::INET (LocalHost => 'localhost',
LocalPort => 9000,
Listen => 5,
Proto => 'tcp',
Reuse => 1 ) || die $!;

netstat -a does return that the port is listening and is able to establish a connection when using '

http://localhost/xml_socket.html'.

When I try '

http://my.ip.here/xml_socket.html'

netstat -a returns TIME_WAIT in the right hand column STATE. Then after a minute or so, this particular connection is not on the list anymore when doing another netstat -a. What does this mean?

About telnet, I did:
telnet (my.ip.here) 9000

returned:
telnet: connect to address my.ip: Connection refused

Hmmm, doesn't sound good, right?

Ron

 

[LarryTheCucumber]

This might be totally off. By the netstat that is a connection. But what are the rights on the file?

If you can run it locally and not remotely, it sounds like a rights issue at this point.

 

[safra]

Permission on the perl file are set ok (all users can read and execute the script 755), and this file is running (looping) in the background all the time after having been exucted so actually I am not sure if remote users should be able to execute the script anyway?

But what about "connection refused" after the telnet command? This seems as if the port is still not open.

Which file does contain the actual firewall configuration. Perhaps I can change something in there manually (based on the code that is used to open other ports). For example port 6000 is scanned as being open by this web site that test your ports and using port 6000 in the telnet command also results in a connection. Perhaps I can just copy and paste that code and change the port number? or is this a bad idea?

Ron

 

[LarryTheCucumber]

I'm at a loss all I can think of is turn off iptables -no firewall - and then test your script. Then turn on iptable and use firewall builder to create the rules you need.

 

[safra]

As I am new to linux and security I am kinda lost here from the early beginning of this problem

Someone who tried to help me with as well this said it might be a problem with the router?

Thanks anyway for all the help, it is very much appreciated!

Ron

 

[LarryTheCucumber]

If you can, Connect the Linux box and a workstation to a hub by themselves.
on the Linux box use ipatbles -f this will flush all the rules. then do /etc/init.d/iptables stop
Set the ip address on the W/S to the same network as the Linux box. Set the default gateway on the Linux box to it's own IP address. Set the default gateway on the W/S to the IP address of the Linux box. Open your W/S browser and try your app.

 

[safra]

I'm aftraid I can't.

What I did try is, change the gateway of the linux box to it's own ip and try to access the app through this ip from the linux box. Same story, flash movie loads but connection with perl socket server fails.

Was this a useless attempt or does it say something about the problem?

Ron