Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think part of the problem may be the -m state portion of your iptables line in that you don't allow established connections to pass through. I would suggest for starters removing the state portion and focus on the protocol, destination and source.
Also, do you have an application listening on port 177? You can confirm that the program is listening on the port and protocol using netstat, eg: 'netstat -ntp | grep 177' and you should see the application.
Next, you can use nmap against your (external) ip address to see if the connection is open through to the application.
I think part of the problem may be the -m state portion of your iptables line in that you don't allow established connections to pass through. I would suggest for starters removing the state portion and focus on the protocol, destination and source.
Also, do you have an application listening on port 177? You can confirm that the program is listening on the port and protocol using netstat, eg: 'netstat -ntp | grep 177' and you should see the application.
Next, you can use nmap against your (external) ip address to see if the connection is open through to the application.
Thanks Noway2,
According to your suggestion, sould I change iptalbes like this?
"-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 177 -s mypc.com -j ACCEPT"
About "netstat -ntp | grep 177", there is nothing.
Vinodvb is correct, drop the --state portion because it will cause to drop established connections, which is what they become after they pass through the new state.
Re the netstat command returning nothing, this indicates that there is no process behind the firewall listening on this port. Without an application opening a port in the firewall is meaningless. The reason I asked this question is because 177 seemed like an odd choice of port number. Do you plan on using a particular application for these connections?
Yes, I want to connect my local pc to remote connect through xmanager. But I have a big problem.
The manager at IDC installed iptables on my remote server for security.
As you can understand I am not an exprt of Linux. So I tried to connect remote server for 4 months.
I added this codes to remote server's iptables, but I received an error message.
Quote:
# Xmanager
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6000:6010 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7100 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 7100 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 177 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 177 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -s mypc.com -j ACCEPT
error message
Quote:
[root@remote_server ~]# /usr/bin/xterm -ls -display $DISPLAY
Warning: This program is an suid-root program or is being run by the root user.
The full text of the error or warning message cannot be safely formatted
in this environment. You may get a more descriptive message by running the
program as a non-root user or by removing the suid bit on the executable.
/usr/bin/xterm Xt error: Can't open display: %s
[root@remote_server ~]# [16:43:35] Stop timer (TIMER_SHUTDOWN).
[16:43:35] Connection closed.
I am pretty certain that IP tables is built into the Linux kernel itself rather than being an application that is installed. Consequently, it is always there. It can however, be disabled, at least temporarily. In a Linux environment, this is even relatively safe to do because unlike Windows, unless an application is running and listening on a port, it is closed. This means that a firewall acts more as a second layer of protection to keep you from inadvertently opening a port unintentionally rather than a primary layer that is required to keep you from become infected with Malware.
In order to test whether or not iptables is the problem, you can issue the command iptables -F (-F for flush) which will clear all the rules and should cause it to accept all connections. I recommend this as a test to verify whether or not the iptables rules are causing your problems, not as a permanent fix.
The error message you received in response to your command was caused by you running the command as 'root' as seen by root@remote_server, which is not a safe practice. When you execute a program it assumes the permissions of the user's account that started it. If the account was root, that application will have unfettered access to do almost anything to the system. Some programs must run with this level of privilege when started by non root users and this is accomplished by the setuid permission bit, which is the other reference in your error message.
I have never used xmanager before, but it looks like an interesting application. I would first recommend that you try running your application as a regular user. If you need help with getting that running, LQ can help with that.
As far as your iptables commands go, I see two problems. First, I suggest you remove the '-m state --state NEW' portions. The rules will allow connections from mypc.com on the ports specified without it, which is what you want. Second, when you write iptables rules, think of them as a waterfall. If a rule 'matches' it will stop and execute that rule and no rules below will be looked at. Therefore, your -j REJECT looks like it will cause all rules below it to be ignored, in which case you may not be opening port 177 in your firewall for xmanager to connect. I would put that rule at the very bottom of the list. That command MAY work only on ICMP traffic, in which case my last sentence is a non issue - again one way to test is to temporarily flush your iptables.
According to your instruction, I changed my iptables as follows;
Quote:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d idc's server -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s mypc.com -j ACCEPT
# Xmanager
-A RH-Firewall-1-INPUT -p tcp --dport 6000:6010 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 6000:6010 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 7100 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 7100 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 177 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 177 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 3306 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --sport 3306 -s mypc.com -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
About "iptables -F", after entering this command my ssh connection of putty was disconnected and I could not connect again. Also I could not open web from remote server.
About the user of xmanager, I have changed my id of remote server. But still I could not connect my remote server.
It looks like your default policy is set to DROP rather than accept. With this setting, flushing the firewall must have closed all the connections rather than clearing them. My apologies, I should have mentioned to check / change that before issuing the flush command. You can achieve a similar effect by placing a catch all drop statement at the end of the list and setting the policy to ACCEPT so that flushing clears everything instead of closing the ports.
From what I can tell your latest set of rules looks pretty good. You are accepting DNS traffic, accepting new connections on telnet and ssh from a specified address, accepting established connections, and various ports from your 'mypc' for Xmanager.
Some other hints to keep in mind as you work on this: you can also use namp on your system to verify which ports are open and you can use netstat to see if a program is listening on the port. Sometimes looking at the output of ps (and grepping for the program name) can be useful if you don't see a process listening / open port that you expect. If you don't see the program running via ps, often times syslog will contain an entry that helps point to the problem. An error in a configuration file, for example, can keep programs from starting.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.