LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 08-26-2009, 08:58 AM   #16
a4kata
Member
 
Registered: Aug 2009
Posts: 30

Original Poster
Rep: Reputation: 0

Here you go

Code:
Chain INPUT (policy ACCEPT 1113K packets, 236M bytes)
 pkts bytes target     prot opt in     out     source               destination

14871  742K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
  142 24713 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp spt:2700 state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 1250K packets, 836M bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Old 08-26-2009, 09:04 AM   #17
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by a4kata View Post
Here you go

Code:
Chain INPUT (policy ACCEPT 1113K packets, 236M bytes)
 pkts bytes target     prot opt in     out     source               destination

14871  742K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
  142 24713 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp spt:2700 state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 1250K packets, 836M bytes)
 pkts bytes target     prot opt in     out     source               destination

Code:
14871  742K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710


looks ok.
does it work? if not you may have to add it without the --state flag or add NEW,ESTABLISHED to the states?
 
Old 08-26-2009, 09:04 AM   #18
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Rep: Reputation: Disabled
It seems fine. sso-service is the one that uses 2710 port.
But may I know what is the purpose of this all. These all are registered service ports and I have never touched these ports.
What do you want to gain from opening this port? You should be absolutely sure what port you want to open else it could be a big security risk.
 
Old 08-26-2009, 09:08 AM   #19
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
Do a netstat -ntulp | grep "2710" or a lsof -i :2710
 
Old 08-26-2009, 09:11 AM   #20
a4kata
Member
 
Registered: Aug 2009
Posts: 30

Original Poster
Rep: Reputation: 0
Yes, I want only 2710 port . I have mistaken 2710 with 2700 now must I close 2700 port ?
 
Old 08-26-2009, 09:14 AM   #21
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Rep: Reputation: Disabled
Yes of course. You should not open ports unless you need them or system needs them. I would say do not touch these ports unless you absolutely know what you are doing and how it is going to affect the system and complete setup.
 
Old 08-26-2009, 09:15 AM   #22
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
Well close 2700 if you wish to

iptables -t filter -I INPUT -p tcp --dport 2700 -j DROP
 
Old 08-26-2009, 10:00 AM   #23
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by kdelover View Post
Well close 2700 if you wish to

iptables -t filter -I INPUT -p tcp --dport 2700 -j DROP
you are in danger of your iptables rules becoming a real mess.
have you actually saved any of these rules??
if not, i suggest restarting iptables so it removes these newly added rules, then readding the rule you need, then issuing an

Code:
iptables-save
If you have saved the rules, edit /etc/sysconfig/iptables and remove the lines of rules you dont need (port 2700) then restart the iptables firewall
 
Old 08-26-2009, 10:06 AM   #24
a4kata
Member
 
Registered: Aug 2009
Posts: 30

Original Poster
Rep: Reputation: 0
I turn on the firewall it seems well :

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

33033 4588K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain OUTPUT (policy ACCEPT 37326 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination

   79  5442 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0

  321 29981 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251
        udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:631
28268 4325K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
 2516  129K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:25
 1470 76097 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:443
  379 22572 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-host-prohibited
Is it really well ?
 
Old 08-26-2009, 10:09 AM   #25
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by a4kata View Post
I turn on the firewall it seems well :

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

33033 4588K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain OUTPUT (policy ACCEPT 37326 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination

   79  5442 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0

  321 29981 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251
        udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:631
28268 4325K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
 2516  129K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:25
 1470 76097 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:443
  379 22572 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-host-prohibited
Is it really well ?


excellent.
it is looking good.
 
Old 08-26-2009, 10:13 AM   #26
a4kata
Member
 
Registered: Aug 2009
Posts: 30

Original Poster
Rep: Reputation: 0
Okay, Thanks for help mates the topic can be closed
 
Old 08-26-2009, 10:32 AM   #27
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
Quote:
Originally Posted by centosboy View Post
you are in danger of your iptables rules becoming a real mess.
have you actually saved any of these rules??
if not, i suggest restarting iptables so it removes these newly added rules, then readding the rule you need, then issuing an

Code:
iptables-save
If you have saved the rules, edit /etc/sysconfig/iptables and remove the lines of rules you dont need (port 2700) then restart the iptables firewall
Just wondering how would blocking 2700 make iptables a real mess. I'm pretty new to iptable,let me know if there was anything wrong in writing that above rule
 
Old 08-26-2009, 07:39 PM   #28
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
Its good to be parsimonious with iptables rules. IOW, KISS (Keep It Simple Stupid).

First, if you don't have a server program bound/attached to a specific port eg 2700, then there's no point in having rules relating specifically to that port.
Unfortunately, 'port' is a bad name for this, it implies things can get in if it 'open'. In actual fact, if there's no server listening on that 'port' , then there's no sw to connect to from the outside, so it effectively doesn't exist.

Also, during the above conversation, it maybe wasn't made clear that the unwanted rules eg 2700 should be replaced, not added to, eg blah 2700 accept, followed by blah 2700 drop makes no sense.

In fact, you only need to 'open' the port eg 2710 if the default Policy for that chain is Drop. If it (default Policy) is accept, then no accept rule is required.
 
  


Reply

Tags
firewall, how, linux, open


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
If I forward a port in iptables, does the port have to be open on the firewall? qwertyjjj Linux - Server 4 08-06-2009 10:22 AM
port 25 filtered despite firewall having port 25 open ille.pugil42 Linux - Security 8 03-09-2007 01:51 AM
how to open 22.port at firewall ce_emre Linux - Networking 2 10-11-2006 01:00 PM
How to open port 25 in firewall greenranger Linux - Networking 13 03-19-2003 09:04 AM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 01:16 PM


All times are GMT -5. The time now is 08:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration