LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-02-2010, 12:48 AM   #1
capitalist
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Rep: Reputation: 0
[CentOS5.4_x64]How to open up ports in firewall?


Hello everyone,
I'm new to this forum and I would like to ask today how to open up specific ports in Linux firewall (iptables).

Recently I have changed the SSH port in server from 22 to 30022 by typing

Code:
# vi /etc/ssh/sshd_config
Code:
Port 30022

"/etc/ssh/sshd_config" 111L, 3027C

And then for the iptables configuration file:
Code:
# vi /etc/sysconfig/iptables
I've added this line before COMMIT
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 30022 -j ACCEPT
And then I typed
Code:
# service sshd restart
as well as
Code:
# service iptables restart
And the services are restarted successfully.

However, When I attempt to connect it using putty with port 30022, my Windows PC prompted me with
Code:
Network error: no route to host
The interesting thing is that when I type the below in Linux
Code:
service iptables stop
, my Windows PC can connect to my Linux comptuer with port 30022.



So the question is...How to configure the iptables properly so that my Windows PC can access the Linux with port 30022?
 
Old 04-02-2010, 01:27 AM   #2
abhilash nair
LQ Newbie
 
Registered: Oct 2006
Posts: 3

Rep: Reputation: 0
Hello,

As you are able to connect after stopping iptables, the issue is surely due to the firewall configuration. Try to execute the commands specified below.

********************
iptables -I INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 30022 -j ACCEPT

service iptables save

service iptabels restart
********************

Note: The above will accept any IP address to get connected to the SSH port via any IP addresses in the server (Unless you have specified the Listen IP address in SSH configuration file). In order to make a certain IP address only to be able to connect to the server via SSH port, replace "0.0.0.0/0" near the option "-s" with the remote IP address. Also, if you want to be able to be get connected to the server only through a certain host address replace "0.0.0.0/0" near the option "-d" with the host IP address.

Please verify and update if you experience any further issues.

--
With Best Regards,
Abhilash V.Nair
 
Old 04-02-2010, 01:56 AM   #3
capitalist
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Original Poster
Rep: Reputation: 0
hello there,
first of all thanks for your kind reply.

However, as I type:
Code:
[root@CentOS5 ~]# iptables -I INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 30022 -j ACCEPT
An error code shows:
Code:
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
By the way, when I type
Code:
[root@CentOS5 ~]# iptables --help
iptables v1.2.11

Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain]          List the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
  --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
  --source      -s [!] address[/mask]
                                source specification
  --destination -d [!] address[/mask]
                                destination specification
  --in-interface -i [!] input name[+]
                                network interface name ([+] for wildcard)
  --jump        -j target
                                target for rule (may load target extension)
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
  --out-interface -o [!] output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.
It appears that the --dport option that you've specified above is missing.

Any suggestions as to how this problem can be circumvented?

Last edited by capitalist; 04-02-2010 at 01:58 AM.
 
Old 04-02-2010, 02:10 AM   #4
abhilash nair
LQ Newbie
 
Registered: Oct 2006
Posts: 3

Rep: Reputation: 0
Hello,

Sometimes Iptables will ignore the option --dport if protocol is not specified. Please try using the commands specified below.

********************
iptables -I INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp --dport 30022 -j ACCEPT

service iptables save

service iptabels restart
********************

Feel free to update for any further assistance. I will be monitoring this thread for some more time.

--
With Best Regards,
Abhilash V.Nair
abhi.vn@gmail.com
 
1 members found this post helpful.
Old 04-02-2010, 02:14 AM   #5
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 5&6 CentOS 5, 6 & 7
Posts: 572

Rep: Reputation: 56
The output from "iptables --help" does NOT include --dport, but the man page does (man iptables). The syntax you were given is slightly incorrect. Try this instead:-
Code:
iptables -I INPUT -p tcp -m tcp --dport 30022 -j ACCEPT
Also, I'd advise using a port number below 1024. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feaure, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.
 
Old 04-02-2010, 05:02 AM   #6
capitalist
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks both of you.
The problem is now solved.

By the way may you elaborate more on your remark here?
Quote:
Also, I'd advise using a port number below 1024. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feaure, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.
What I don't understand is that if I simply change my SSH port to say, 1023, then I can still lure a completely-new-to-Linux person to connect to my Linux through putty.
So what are the special features for ports below 1024?
 
Old 04-02-2010, 05:12 AM   #7
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 5&6 CentOS 5, 6 & 7
Posts: 572

Rep: Reputation: 56
If you are connecting to your server from an external location - e.g. you are connecting to your home network when you are at work - then if your ssh connection is running on a privileged port it is more likely to be un-compromised (i.e. not hacked) than if it was running on a port above 1024. When it is running above 1024, you can't necessarily trust it.

Suppose someone hacked your server. If you have ssh running on a port over 1024 then they might have also hijacked that process to their own ends. If the service is running on a privileged port, then you can safely assume that the root user has started the process, not a hacker (assuming of course the hacker hasn't gained root access). Only the root user can use ports below 1024.

It isn't about luring anyone, it is knowing yourself that the server process has not been hacked itself. You're protecting your network by using a port below 1024.

Last edited by blacky_5251; 04-02-2010 at 05:13 AM.
 
1 members found this post helpful.
Old 04-02-2010, 11:12 AM   #8
capitalist
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Very detailed yet clear explanation. Thanks
 
Old 04-05-2010, 11:51 AM   #9
capitalist
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Original Poster
Rep: Reputation: 0
hey by the way I would also like to do "ssh tunneling", however here's a problem:
I used putty to forward internet traffic from my windows machine to linux machine(SSH>Tunneling>8080 port (dynamic) ).
And then I invoked my Windows Firefox browser, and then set the proxy to localhost:8080.
When I tried to enter any web page using my firefox on Windows, a blank screen displayed.
Any suggestions as to how I may circumvent this problem?

Here is my /etc/ssh/sshd_config file(if it helps):
Code:
#	$OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 30022
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

Last edited by capitalist; 04-05-2010 at 11:54 AM.
 
Old 04-05-2010, 12:49 PM   #10
capitalist
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Original Poster
Rep: Reputation: 0
[solved]

Quote:
Originally Posted by capitalist View Post
hey by the way I would also like to do "ssh tunneling", however here's a problem:
I used putty to forward internet traffic from my windows machine to linux machine(SSH>Tunneling>8080 port (dynamic) ).
And then I invoked my Windows Firefox browser, and then set the proxy to localhost:8080.
When I tried to enter any web page using my firefox on Windows, a blank screen displayed.
Any suggestions as to how I may circumvent this problem?

Here is my /etc/ssh/sshd_config file(if it helps):
Code:
#	$OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 30022
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server
I actually solved it by filling in the fields in the Socks proxy section only, but not other sections such as HTTP.
 
Old 04-05-2010, 12:53 PM   #11
gumaheru
LQ Newbie
 
Registered: Nov 2009
Posts: 20

Rep: Reputation: 0
I have conflicting thoughts about the service ports. First, it doesn't matter which ports you put the services on. No one cares if the ports are below 1024. These ports are yes root only privileged. But if you read around best practices state that you should give a higher port with a random number to specify services on so that so called hackers don't see the typical port numbers and know off the top what the services are. Secondly if you are worried about port numbers and who they are seen by from the outside world you should set the default port on your fire rules. Then re-route it internally to the host and the specified service port. If you have your host facing the public without being behind a fire wall and you are just worried about what the port numbers look like, you are going to be in more of a world of pain then you expect.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
open ports? global firewall PB0711 Linux - Networking 3 01-05-2007 08:36 PM
Protecting open ports on firewall RecoilUK Linux - Security 3 06-09-2005 12:29 AM
Open ports behind a firewall? ni0wn Slackware 4 09-16-2004 08:48 AM
PLEASE !!! Can't open ports with rc.firewall peryserv Linux - Networking 2 08-26-2004 08:43 PM
Open ports on firewall LionMaster Linux - Security 3 04-13-2003 06:29 PM


All times are GMT -5. The time now is 10:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration