Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


LinkBack Search this Thread
Old 11-05-2009, 07:41 AM   #1
Registered: Dec 2008
Posts: 41

Rep: Reputation: 15
FC8 iptables will not open port 81 for ISPConfig

Just finished installing ISPConfig. tried to open port 81 for https://host.domain.tld:81 and no dice. nmap -p81 shows closed as does nmap -p81 <public IP>. do i need to do something more than just /etc/init.d/iptables restart after modifying the config file??

tried to copy the line in iptables for ssh, and that didnt work. googled for another possible entry. the line in /etc/sysconfig/iptables right now is:

-A RH-Firewall-1-INPUT -p tcp -i eth0 --dport 81 --sport 1024:65535 -m state --state NEW -j ACCEPT

the last ACCEPT line seems to be just slightly more detailed in that it specifies src ports? i couldnt care less about src port. eventually i would like restrict access to port 81 to a couple public IP addresses, but for now i just need to get the port open!

iptables -L shows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:hosts2-ns state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

thanks in advance!
Old 11-05-2009, 08:41 AM   #2
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,770
Blog Entries: 4

Rep: Reputation: 697Reputation: 697Reputation: 697Reputation: 697Reputation: 697Reputation: 697
You're using nmap to see if you can find anything on port 81. However, that would be secondary. Port 81 could be wide open in firewalls from here to kingdome come but if you don't have anything LISTENing on port 81 nmap is not going to detect it.

So the first thing you need to do on the server itself is run "lsof -i :81" to see if it is LISTENing and if so on which interfaces (e.g. localhost? eth3? all?). If it is not LISTENing then you need to start the software that should be LISTENing (ISPConfig based on your post).

You're correct that the record you have is specifying source ports. You're record should look more like this to exclude source ports checking:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:hosts2-ns
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
(By the way if you do iptables -nL you'll see the port number instead of the name "hosts2-ns".)

If you run iptables-save you'll see the line that was used to add what you have. You would then run iptables -D on the final icmp rule (it needs to be the last one - you'll readd it later). You then run iptables -D on the one that has your port 81 in it. Both these lines will currently have a "-A" in the iptables-save output - just change it to a -D.

You then re-add the lines with:
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Prior to doing this save /etc/sysconfig/iptables to a date stamped copy and also I like to save iptables-save to an iptables-save copy (e.g iptables-save.20091105). That way you'll know what it was before.

AFTER you do it run iptables-save >/etc/sysconfig/iptables. This will overwrite the original and insure the change is reflected on subsequent boots.
Old 11-05-2009, 08:49 AM   #3
Registered: Dec 2008
Posts: 41

Original Poster
Rep: Reputation: 15
crap...there is nothing listening. i've posted my ISPConfig install log (with possible errors) in the software forum.

i just tried this install on a virtual box FC8 and it was flawless--wonder what happened.

thanks for the extra information. lsof, iptables -nL, iptables-save, etc

thumbs up!


fc8, iptables, ispconfig

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
If I forward a port in iptables, does the port have to be open on the firewall? qwertyjjj Linux - Server 4 08-06-2009 09:22 AM
How to open a port without using iptables msteiner Linux - Networking 5 11-28-2007 02:23 PM
How to Open a Port in IPtables Doug Vitale Linux - Networking 4 10-14-2007 09:14 PM
Iptables - Port Won't Open stascrash Linux - Security 11 11-09-2006 10:39 AM
iptables won't allow ftp even with port 21 open. keithxl Linux - Security 12 05-22-2006 11:36 PM

All times are GMT -5. The time now is 06:33 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration