Hi,

So, I am learning meteor.js and signed up for a (cheap, i.e no support) VPS to host my Meteor app. Everything is running fine but I am trying to understand better how Linux works so here is my question:

I am running CentOS 7 on the VPS but it still uses iptables for its firewall.

I had to enable port 80 to access the web server. However, if I reboot the server, it stops working until I do
Then everything works. But I am thinking that -F might not be the best thing. I have changed the default SSH port from 22 to something else and that also works but I don't think I ever added it to the iptables rules.

If I do a port scan, the new SSH port is indicated as open as well as port 80 but others are closed as they are supposed to be.

Any idea what is doing on behind the scenes that requires iptables -F for the web access to work properly and if I shouldn't be doing iptables -F (I have it in the rc.local file), what is the right way of doing it?

(BTW, I am computer literate but not that familiar with Linux, which I am trying to learn now.)


Kamal

deletes all rules in all chains, so it effectively unblocks everything. Try before and after the -F action to see what changes.

jlinkels

1 members found this post helpful.

OK, I wasn't sure whether -F unblocks everything or by clearing the iptables rules, blocks everything. Thanks for clearing that up.

So, why is it that when I do a port scan, it shows that most ports are blocked, except port 80 and the ssh port? Maybe I don't understand how ports or iptables work exactly. I do see that the INPUT, OUTPUT in iptables are empty when I do a iptables -L

Oh, btw, ftp doesn't even work until I do
I haven't set ftp to start automatically when the server boots as added security.

The reason I need to really understand how this works is because I am writing a tutorial for other n00bs like me to get their Meteor app running on VPS since I had a hard time figuring it out and I don't wanna put any info out there that will compromise the security of anyone following my tutorial who is also just starting out with Linux and running their own servers.

I am not sure the ports are really blocked. I think that there is simply no service running listening to those ports.

Do a and I expect just port 22 and 80 LISTENing.

IPtables sits between your eth0 interface and all those tcp or upd processes. And then really blocks traffic from eth0 to a port, depending on a lot of parameters. Usually a server which is connected to the internet does not even have IPTables running if it does not do port forwarding. Such a server is simply configured not to have any services running which are not needed.

It is normal that nothing listens to an FTP port if FTP is not started. As per the last sentence in the paragraph above.

I can't explain IPTables in this post, but I'd recommend some reading on IPTables and firewalls. This one is not too bad: http://www.thegeekstuff.com/2011/01/...-fundamentals/

But read carefully and let it sink in. It is not that easy.

jlinkels

1 members found this post helpful.

Thanks again. I will read the info you provided and post back if I have specific questions.

Well, one thing real quick. If I have to do iptables -F to get things to work, is that a BIG NO NO? I mean, as I said, I am writing a tutorial for others; if I am telling them they have to do this to get their Meteor app running on their own VPS, am I spreading evil? It's cool, you can be honest and let me have it straight.

Well, you are turning off the firewall.
That in itself is neither good nor evil.

Some people rely on a firewall to restrict access to running services on their box.
Personally, I think it is better to not run unnecessary services, or to restrict the interfaces that they listen on.

You would probably be better off advising your readers to add a rule to ALLOW the necessary ports for your app.

1 members found this post helpful.

I'd say you shouldn't suggest turning off the iptables. That can obviously be quite a big security problem, especially with bots or other automated systems that can brute-force (ssh etc.) and so on. You should read a little about the basics of iptables first. (as an aside: in Centos 7, iptables was replaced by firewalld, but I guess someone installed iptables back on that VPS (which is not a bad thing at all, I've done it myself because I'm more familiar with it).

If you're not doing any NAT, then you should only be interested in the INPUT and OUTPUT chain which you can see with iptables -vnL INPUT and iptables -vnL OUTPUT commands. But there's too much explanation to do to be able to write in a single post about it, as previously said. So if you want to know stuff about iptables, you can ask some other specific questions to which you might get answers.

1 members found this post helpful.