LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-26-2015, 04:26 PM   #1
kamal93
LQ Newbie
 
Registered: Jan 2015
Location: Planet Earth
Distribution: CentOS
Posts: 4

Rep: Reputation: Disabled
iptables question


Hi,

So, I am learning meteor.js and signed up for a (cheap, i.e no support) VPS to host my Meteor app. Everything is running fine but I am trying to understand better how Linux works so here is my question:

I am running CentOS 7 on the VPS but it still uses iptables for its firewall.

I had to enable port 80 to access the web server. However, if I reboot the server, it stops working until I do
Code:
iptables -F
Then everything works. But I am thinking that -F might not be the best thing. I have changed the default SSH port from 22 to something else and that also works but I don't think I ever added it to the iptables rules.

If I do a port scan, the new SSH port is indicated as open as well as port 80 but others are closed as they are supposed to be.

Any idea what is doing on behind the scenes that requires iptables -F for the web access to work properly and if I shouldn't be doing iptables -F (I have it in the rc.local file), what is the right way of doing it?

(BTW, I am computer literate but not that familiar with Linux, which I am trying to learn now.)


Kamal
 
Old 01-26-2015, 05:53 PM   #2
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,523

Rep: Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648
Code:
iptables -F
deletes all rules in all chains, so it effectively unblocks everything. Try
Code:
iptables -L
before and after the -F action to see what changes.

jlinkels
 
1 members found this post helpful.
Old 01-26-2015, 07:24 PM   #3
kamal93
LQ Newbie
 
Registered: Jan 2015
Location: Planet Earth
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: Disabled
OK, I wasn't sure whether -F unblocks everything or by clearing the iptables rules, blocks everything. Thanks for clearing that up.

So, why is it that when I do a port scan, it shows that most ports are blocked, except port 80 and the ssh port? Maybe I don't understand how ports or iptables work exactly. I do see that the INPUT, OUTPUT in iptables are empty when I do a iptables -L

Oh, btw, ftp doesn't even work until I do
Quote:
service vsftpd start
I haven't set ftp to start automatically when the server boots as added security.

The reason I need to really understand how this works is because I am writing a tutorial for other n00bs like me to get their Meteor app running on VPS since I had a hard time figuring it out and I don't wanna put any info out there that will compromise the security of anyone following my tutorial who is also just starting out with Linux and running their own servers.
 
Old 01-26-2015, 07:45 PM   #4
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,523

Rep: Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648Reputation: 648
Quote:
Originally Posted by kamal93 View Post
OK, I wasn't sure whether -F unblocks everything or by clearing the iptables rules, blocks everything. Thanks for clearing that up.

So, why is it that when I do a port scan, it shows that most ports are blocked, except port 80 and the ssh port? Maybe I don't understand how ports or iptables work exactly. I do see that the INPUT, OUTPUT in iptables are empty when I do a iptables -L
I am not sure the ports are really blocked. I think that there is simply no service running listening to those ports.

Do a
Code:
netstat -a | grep tcp
and I expect just port 22 and 80 LISTENing.

IPtables sits between your eth0 interface and all those tcp or upd processes. And then really blocks traffic from eth0 to a port, depending on a lot of parameters. Usually a server which is connected to the internet does not even have IPTables running if it does not do port forwarding. Such a server is simply configured not to have any services running which are not needed.

It is normal that nothing listens to an FTP port if FTP is not started. As per the last sentence in the paragraph above.

I can't explain IPTables in this post, but I'd recommend some reading on IPTables and firewalls. This one is not too bad: http://www.thegeekstuff.com/2011/01/...-fundamentals/

But read carefully and let it sink in. It is not that easy.

jlinkels
 
1 members found this post helpful.
Old 01-26-2015, 07:51 PM   #5
kamal93
LQ Newbie
 
Registered: Jan 2015
Location: Planet Earth
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks again. I will read the info you provided and post back if I have specific questions.

Well, one thing real quick. If I have to do iptables -F to get things to work, is that a BIG NO NO? I mean, as I said, I am writing a tutorial for others; if I am telling them they have to do this to get their Meteor app running on their own VPS, am I spreading evil? It's cool, you can be honest and let me have it straight.
 
Old 01-26-2015, 08:53 PM   #6
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,486

Rep: Reputation: 390Reputation: 390Reputation: 390Reputation: 390
Well, you are turning off the firewall.
That in itself is neither good nor evil.

Some people rely on a firewall to restrict access to running services on their box.
Personally, I think it is better to not run unnecessary services, or to restrict the interfaces that they listen on.

You would probably be better off advising your readers to add a rule to ALLOW the necessary ports for your app.
 
1 members found this post helpful.
Old 01-26-2015, 10:08 PM   #7
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 683

Rep: Reputation: 69
Quote:
Originally Posted by kamal93 View Post
Thanks again. I will read the info you provided and post back if I have specific questions.

Well, one thing real quick. If I have to do iptables -F to get things to work, is that a BIG NO NO? I mean, as I said, I am writing a tutorial for others; if I am telling them they have to do this to get their Meteor app running on their own VPS, am I spreading evil? It's cool, you can be honest and let me have it straight.
I'd say you shouldn't suggest turning off the iptables. That can obviously be quite a big security problem, especially with bots or other automated systems that can brute-force (ssh etc.) and so on. You should read a little about the basics of iptables first. (as an aside: in Centos 7, iptables was replaced by firewalld, but I guess someone installed iptables back on that VPS (which is not a bad thing at all, I've done it myself because I'm more familiar with it).

If you're not doing any NAT, then you should only be interested in the INPUT and OUTPUT chain which you can see with iptables -vnL INPUT and iptables -vnL OUTPUT commands. But there's too much explanation to do to be able to write in a single post about it, as previously said. So if you want to know stuff about iptables, you can ask some other specific questions to which you might get answers.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question j.smith1981 Linux - Security 3 01-06-2011 02:16 PM
Iptables question Hammett Linux - Networking 8 09-09-2007 06:38 PM
iptables question enrique_arong Linux - Networking 4 09-28-2004 01:51 PM
iptables Question gauge73 Linux - Networking 3 12-14-2003 12:02 AM
iptables question randomx Linux - Networking 0 03-11-2003 05:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration