Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am running a Virtual Server, and I needed to have port 587 open and accepting SMTP connections, because my new ISP will block port 25.
I wasn't sure how to go about this, so I edited /etc/services. My port 465 was accepting mail connections, so in this list, I simply changed that number from 465 to 587. 587 was on the list already of course, but wasn't accepting connections from the outside. So I now have three port 587s in the list.
I wanted to know if this is kosher - are there any problems that could arise from me having done this? I wasn't sure how else to go about getting port 587 working. Any info is greatly apprecaited!!
Changing /etc/services doesn't open or close a port. You should change it back the way it was.
To open a port, you must start a service that listens on that port. You can check to see what's listening on what port by executing
# netstat --proto=inet -pnl
To unblock a port, you must modify iptables (firewall) rules. There are two ways to do it.
(1) In FC4, the relevant file is /etc/sysconfig/iptables. If you want to make port 587 available to the planet, add the following line to that file.
-A INPUT -p tcp --dport 587 -j ACCEPT
After saving the file, execute
# service iptables restart
*** OR ***
(2) Use the security level gui tool under Desktop->System Tools. (I think that's the submenu name. I'm not sitting in front of my FC4 machine at the moment.) You can add individual ports in the bottom window of the Firewall tab.
Hi, thanks for the info! Why is it not a good idea to just modify the etc/services, it worked? I also see the port open. When I change services back, the port is no longer there.
As for the iptables, all I see is iptables-config, and that's it.
What I did do first was to change the port I changed from 465 to 587 back to 465. Then I did:
cp smtp_psa smtp_additional
and changed the first line to "service submission"
and then restarted xinetd
After, I did
netstat --proto=inet -pnl
and lo and behond, the port is open and seems to be accepting connections (of course I can't fully check to see if it the emails go out, since my server passes everything through the SBL & XBL, and my dynamic IP address that's currently assigned to me by my ISP is listed in there, so my server won't accept my email!)
Thanks a lot for your tips and info on the IP tables and Netstat command, I really appreciate it!!
The services file is the canonical mapping between services and their IANA-assigned port numbers and protocol types. It's not advisable to modify it, especially ports below 1024, unless you absolutely have to, because it may cause certain services to fail that rely upon the IANA mapping. The 'services' manpage provides details. If it works for you though, then hey, it's okay, but it's a somewhat unorthodox way to go about it and it may (emphasis on "may") cause you problems in the future if you run a service that needs the port you've assigned to something else.
I'm not sure what distribution you're running, but if all you see in /etc/sysconfig is iptables-config, your firewall may not be active. But again, my familiarity lies with Redhat and Fedora, not other distros, and those other distros may squirrel the iptables rules file somewhere else. Irrespective of the distro, to examine the current iptables configuration, run
# /sbin/iptables -L
If your firewall is turned off, you'll see something like this:
I can't tell from your uname string what distribution you're running. Do you know?
Is there an "iptables" script in /etc/rc.d/init.d?
Is this machine being used as NAT router? Execute
# cat /proc/sys/net/ipv4/ip_forward
If it returns 0, it's not forwarding packets. If it returns 1, it is, and you can't use the simple firewall rules below.
If your machine isn't forwarding packets, here's a simple iptables firewall script from http://electron.mit.edu/~gsteele/firewall/ . Save it to a file and modify or add to the "dport" options below to unblock the ports you want access to.
# Load needed kernel modules
# Clear any existing firewall stuff before we start
iptables -t nat --flush
iptables -t mangle --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
# Allow all incoming traffic if it is coming from the local loopback device
iptables -A INPUT -i lo -j ACCEPT
# Related and established connections: see
# Accept all incoming traffic associated with an established
# connection, or a "related" connection
# This will automatically handle incoming UDP traffic associated with
# DNS queries, as well as PASSIVE mode FTP (provided the
# ip_conntrack_ftp module is loaded)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow connections on selected ports to the firewalled computer:
# 22 ssh
# 80 web
# 25 smtp (mail)
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -m state --state NEW -j ACCEPT
# Allow icmp input so that people can ping us
iptables -A INPUT -p icmp -j ACCEPT
# Logging: first, eliminate any packets that are going to broadcast
# addresses, since they will overwhelm the log files if there are any
# windows computers on our network. Also, don't log pesky multicast
# packets that we block.
iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 184.108.40.206 -j DROP
# Log all other blocked packets, and change DROP to REJECT to be
# polite and allow people connecting to a blocked port to receive a
# "connection refused" message instead of timing out after 30 seconds.
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
Let me know the answers to the questions above before going much further.
i have a similar problem with port 623 which is assign to asf-rmcp. my OS is RH AS 4. i'm sending ASF pings to it but it only returns ICMP code 10 (Destination unreachable ). the port is listed in the /etc/services file and i already configured iptables to accept all packets going to port 623. i havent tried nmap and nstat yet to check if there is a service listening. i'm assuming that the port is closed since its returning an ICMP (Destination unreachable) packet so how can i open the port? is there a specific command for it or should i reconfigure a file? tnx in advance.