Openning ports

ziphem · 07-15-2005, 10:07 AM

I am running a Virtual Server, and I needed to have port 587 open and accepting SMTP connections, because my new ISP will block port 25.

I wasn't sure how to go about this, so I edited /etc/services. My port 465 was accepting mail connections, so in this list, I simply changed that number from 465 to 587. 587 was on the list already of course, but wasn't accepting connections from the outside. So I now have three port 587s in the list.

I wanted to know if this is kosher - are there any problems that could arise from me having done this? I wasn't sure how else to go about getting port 587 working. Any info is greatly apprecaited!!

Thanks!!

Solvaut · 07-15-2005, 12:30 PM

if you get this problem fixed please pm me on how you open it up i have a similar problem i want to open a port on my server 12220

jcliburn · 07-15-2005, 01:23 PM

Changing /etc/services doesn't open or close a port. You should change it back the way it was.

To open a port, you must start a service that listens on that port. You can check to see what's listening on what port by executing

Code:

# netstat --proto=inet -pnl

To unblock a port, you must modify iptables (firewall) rules. There are two ways to do it.

(1) In FC4, the relevant file is /etc/sysconfig/iptables. If you want to make port 587 available to the planet, add the following line to that file.

Code:

-A INPUT -p tcp --dport 587 -j ACCEPT

After saving the file, execute

Code:

# service iptables restart

*** OR ***

(2) Use the security level gui tool under Desktop->System Tools. (I think that's the submenu name. I'm not sitting in front of my FC4 machine at the moment.) You can add individual ports in the bottom window of the Firewall tab.

ziphem · 07-15-2005, 05:20 PM

Hi, thanks for the info! Why is it not a good idea to just modify the etc/services, it worked? I also see the port open. When I change services back, the port is no longer there.

As for the iptables, all I see is iptables-config, and that's it.

What I did do first was to change the port I changed from 465 to 587 back to 465. Then I did:

cd /etc/xinetd.d
cp smtp_psa smtp_additional
vim smtp_additional
and changed the first line to "service submission"
and then restarted xinetd

After, I did

netstat --proto=inet -pnl

and lo and behond, the port is open and seems to be accepting connections (of course I can't fully check to see if it the emails go out, since my server passes everything through the SBL & XBL, and my dynamic IP address that's currently assigned to me by my ISP is listed in there, so my server won't accept my email!)

Thanks a lot for your tips and info on the IP tables and Netstat command, I really appreciate it!!

jcliburn · 07-15-2005, 08:56 PM

The services file is the canonical mapping between services and their IANA-assigned port numbers and protocol types. It's not advisable to modify it, especially ports below 1024, unless you absolutely have to, because it may cause certain services to fail that rely upon the IANA mapping. The 'services' manpage provides details. If it works for you though, then hey, it's okay, but it's a somewhat unorthodox way to go about it and it may (emphasis on "may") cause you problems in the future if you run a service that needs the port you've assigned to something else.

I'm not sure what distribution you're running, but if all you see in /etc/sysconfig is iptables-config, your firewall may not be active. But again, my familiarity lies with Redhat and Fedora, not other distros, and those other distros may squirrel the iptables rules file somewhere else. Irrespective of the distro, to examine the current iptables configuration, run

Code:

# /sbin/iptables -L

If your firewall is turned off, you'll see something like this:

Code:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I'm not familiar with the virtual server you're running either, or the mail agent you're working with, so I'll bow out and let someone else more knowledgeable in those areas offer assistance.

ziphem · 07-16-2005, 12:37 PM

Hi, thanks for responding to my posts. Eek, I realized that maybe I don't have the IP tables setup, I thought it came fully operating when I got my server.

Since this is a BASH login to my server, can you recommend any easy-to-use text-based programs that I can use to configure IP Tables?

Thanks a ton!

jcliburn · 07-16-2005, 01:54 PM

First, run the following command and post the results here.

uname -a

ziphem · 07-16-2005, 04:25 PM

Linux localhost.localdomain 2.4.20-021stab022.1.777 #1 Sat Jun 26 17:05:57 MSD 2004 i686 i686 i386 GNU/Linux

jcliburn · 07-16-2005, 05:00 PM

I can't tell from your uname string what distribution you're running. Do you know?

Is there an "iptables" script in /etc/rc.d/init.d?

Is this machine being used as NAT router? Execute

Code:

# cat /proc/sys/net/ipv4/ip_forward

If it returns 0, it's not forwarding packets. If it returns 1, it is, and you can't use the simple firewall rules below.

If your machine isn't forwarding packets, here's a simple iptables firewall script from http://electron.mit.edu/~gsteele/firewall/ . Save it to a file and modify or add to the "dport" options below to unblock the ports you want access to.

Code:

#!/bin/bash

set -x

# Load needed kernel modules

modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Clear any existing firewall stuff before we start

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.

iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device

iptables -A INPUT -i lo -j ACCEPT

# Related and established connections: see
#  http://www.sns.ias.edu/~jns/security...conntrack.html
#
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
#
# This will automatically handle incoming UDP traffic associated with
# DNS queries, as well as PASSIVE mode FTP (provided the
# ip_conntrack_ftp module is loaded)

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow connections on selected ports to the firewalled computer:
#   22 ssh
#   80 web
#   25 smtp (mail)

iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -m state --state NEW -j ACCEPT

# Allow icmp input so that people can ping us

iptables -A INPUT -p icmp -j ACCEPT

# Logging: first, eliminate any packets that are going to broadcast
# addresses, since they will overwhelm the log files if there are any
# windows computers on our network. Also, don't log pesky multicast
# packets that we block.

iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP

# Log all other blocked packets, and change DROP to REJECT to be
# polite and allow people connecting to a blocked port to receive a
# "connection refused" message instead of timing out after 30 seconds.

iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

Let me know the answers to the questions above before going much further.

red_colt · 08-16-2005, 08:56 PM

hello,

i have a similar problem with port 623 which is assign to asf-rmcp. my OS is RH AS 4. i'm sending ASF pings to it but it only returns ICMP code 10 (Destination unreachable ). the port is listed in the /etc/services file and i already configured iptables to accept all packets going to port 623. i havent tried nmap and nstat yet to check if there is a service listening. i'm assuming that the port is closed since its returning an ICMP (Destination unreachable) packet so how can i open the port? is there a specific command for it or should i reconfigure a file? tnx in advance.

jcliburn · 08-17-2005, 08:14 AM

Run the following command to see what services are listening for inet connections.

Code:

netstat --proto=inet -pnl