Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to disable a specific port on a centos base server.
I have already try disable port from csf and iptables by adding drop rule. But it does not work out for me. Does any one know any other way or the exact process if I done it by wrong method.
Thanks in advance.
Sinclair J
Last edited by colucix; 10-05-2012 at 11:42 AM.
Reason: removed unrelated link
dropping traffic and disabling a port aren't the same thing.
What port?
Is this inbound to your machine? Outbound from it?
Why are you trying to "disable" it?
If you run "lsof -i :<port>" for the port in question do you see anything on it?
What exactly do you have in your iptables configuration (entire config - not just the line you think should have fixed it - location in the rules makes a difference).
If you have a service listening on a given port rather than creating rules to drop traffic to it there would be more sense in simply NOT starting that service.
What version of CentOS (cat /etc/issue)?
If you tell us the answer to the above questions we may be able to give you better answers.
port 2086 do not use 'ssl', but you can force your users to use secure connection by selecting the 'always redirect to ssl' under the 'tweak settings' in your whm at https://your-domain.tld:2087.
If you run "service iptables status" what does it show?
Essentially if you have iptables turned on and have NOT opened a given port it is by default closed to use on anything other than "localhost". That is because by default both the INPUT and FORWARD chains reject everything as last rule and you have to insert rules to open things:
Code:
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:5432
6 ACCEPT tcp -- 192.168.1.1 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:5666
7 ACCEPT tcp -- 192.168.1.5 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:666
8 ACCEPT tcp -- 192.168.1.7 0.0.0.0/0 state NEW,ESTABLISHED tcp dpts:667
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:13724
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:1311
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:13782
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:1556
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:5433
14 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
The above ruleset specifically allows certain IPs to get to certain ports and allows everyone to get to others (e.g. port 22) but any port NOT allowed before the REJECT line will not be accessible because that rule says to reject everything. Also as an alternative to rejecting the port completely you can do as is seen for port 5666 for example and allow only one IP to reach it - all other IPs would get rejected. You can also set restrictions to certain networks/subnets.
Rose's idea may be a better one for what you want to achieve. I've not done this in a WHM/Cpanel setup.
Again - please post your ENTIRE iptables output. The location of the rules makes a difference and by simply showing us a subset means we can't determine if you have placed them properly.
Also you shouldn't need both "DROP" and "REJECT" for the same port. You can combine udp/tcp into one by using "all" rather than specifying "tcp" and "udp" on the separate lines.
# iptables -I INPUT 'line number you want to insert the rule' -p tcp --dport 2086 -j REJECT
The insert is a good way to do things but "line number you want to insert" is very important. Typically you have to determine the number of lines in the specific chain (e.g. INPUT chain) then insert no less than TWO lines above the last line there for proper placement.
Since the OP isn't letting us know his full setup its difficult to say where he has the rules.
Also we haven't talked about ip6tables - it is barely possible he has IPV6 accessibility and is somehow tripping on that.
# iptables -I INPUT 'line number you want to insert the rule' -p tcp --dport 2086 -j REJECT
I have tried this. One more thing I have notice improper sequence of accept and reject rule. Then I reload iptables rule, Now my problem is get resolved.
Please clear my one more doubt, IF server have csf then whether it get stuck with iptables rule while working or not. Because when I flush iptables rule server get hang for me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.