How to open port in the firewall ?

a4kata · 08-26-2009, 07:58 AM

Here you go

Code:

Chain INPUT (policy ACCEPT 1113K packets, 236M bytes)
 pkts bytes target     prot opt in     out     source               destination

14871  742K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
  142 24713 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp spt:2700 state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 1250K packets, 836M bytes)
 pkts bytes target     prot opt in     out     source               destination

centosboy · 08-26-2009, 08:04 AM

Quote:

Originally Posted by a4kata

Here you go

Code:

Chain INPUT (policy ACCEPT 1113K packets, 236M bytes)
 pkts bytes target     prot opt in     out     source               destination

14871  742K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2700
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:2700
  142 24713 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        tcp spt:2700 state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 1250K packets, 836M bytes)
 pkts bytes target     prot opt in     out     source               destination

Code:

14871  742K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710

looks ok.
does it work? if not you may have to add it without the --state flag or add NEW,ESTABLISHED to the states?

linuxlover.chaitanya · 08-26-2009, 08:04 AM

It seems fine. sso-service is the one that uses 2710 port.
But may I know what is the purpose of this all. These all are registered service ports and I have never touched these ports.
What do you want to gain from opening this port? You should be absolutely sure what port you want to open else it could be a big security risk.

kdelover · 08-26-2009, 08:08 AM

Do a netstat -ntulp | grep "2710" or a lsof -i :2710

a4kata · 08-26-2009, 08:11 AM

Yes, I want only 2710 port . I have mistaken 2710 with 2700 now must I close 2700 port ?

linuxlover.chaitanya · 08-26-2009, 08:14 AM

Yes of course. You should not open ports unless you need them or system needs them. I would say do not touch these ports unless you absolutely know what you are doing and how it is going to affect the system and complete setup.

kdelover · 08-26-2009, 08:15 AM

Well close 2700 if you wish to

iptables -t filter -I INPUT -p tcp --dport 2700 -j DROP

centosboy · 08-26-2009, 09:00 AM

Quote:

Originally Posted by kdelover

Well close 2700 if you wish to

iptables -t filter -I INPUT -p tcp --dport 2700 -j DROP

you are in danger of your iptables rules becoming a real mess.
have you actually saved any of these rules??
if not, i suggest restarting iptables so it removes these newly added rules, then readding the rule you need, then issuing an

Code:

iptables-save

If you have saved the rules, edit /etc/sysconfig/iptables and remove the lines of rules you dont need (port 2700) then restart the iptables firewall

a4kata · 08-26-2009, 09:06 AM

I turn on the firewall it seems well :

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

33033 4588K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain OUTPUT (policy ACCEPT 37326 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination

   79  5442 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0

  321 29981 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251
        udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:631
28268 4325K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
 2516  129K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:25
 1470 76097 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:443
  379 22572 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-host-prohibited

Is it really well ?

centosboy · 08-26-2009, 09:09 AM

Quote:

Originally Posted by a4kata

I turn on the firewall it seems well :

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

33033 4588K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.
0.0.0/0

Chain OUTPUT (policy ACCEPT 37326 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination

   79  5442 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0

  321 29981 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251
        udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:631
28268 4325K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
 2516  129K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:2710
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:25
 1470 76097 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW tcp dpt:443
  379 22572 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        reject-with icmp-host-prohibited

Is it really well ?

excellent.
it is looking good.

a4kata · 08-26-2009, 09:13 AM

Okay, Thanks for help mates the topic can be closed

kdelover · 08-26-2009, 09:32 AM

Quote:

Originally Posted by centosboy

you are in danger of your iptables rules becoming a real mess.
have you actually saved any of these rules??
if not, i suggest restarting iptables so it removes these newly added rules, then readding the rule you need, then issuing an

Code:

iptables-save

If you have saved the rules, edit /etc/sysconfig/iptables and remove the lines of rules you dont need (port 2700) then restart the iptables firewall

Just wondering how would blocking 2700 make iptables a real mess. I'm pretty new to iptable,let me know if there was anything wrong in writing that above rule

chrism01 · 08-26-2009, 06:39 PM

Its good to be parsimonious with iptables rules. IOW, KISS (Keep It Simple Stupid).

First, if you don't have a server program bound/attached to a specific port eg 2700, then there's no point in having rules relating specifically to that port.
Unfortunately, 'port' is a bad name for this, it implies things can get in if it 'open'. In actual fact, if there's no server listening on that 'port' , then there's no sw to connect to from the outside, so it effectively doesn't exist.

Also, during the above conversation, it maybe wasn't made clear that the unwanted rules eg 2700 should be replaced, not added to, eg blah 2700 accept, followed by blah 2700 drop makes no sense.

In fact, you only need to 'open' the port eg 2710 if the default Policy for that chain is Drop. If it (default Policy) is accept, then no accept rule is required.