LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-02-2004, 01:29 PM   #1
lsimon4180
Member
 
Registered: Oct 2004
Location: Chicago, IL
Distribution: Fedora Core 2
Posts: 101

Rep: Reputation: 15
how to open ports with iptables


Hey,

I have a machine running fedora core2 and i am planning on installing qmail...part of the qmail installation requires to have certian ports open:

Outbound ports (tcp)

25 - SMTP
110 - POP services
143 - IMAP
783 - Spamassassin
993 - IMAPS

Inbound Ports (tcp)

25 - SMTP
80 - HTTP
110 - POP services
143 - IMAP
443 - HTTPS
783 - Spamassassin
993 - IMAPS

I ran nmap on my ip and got these results:

Starting nmap 3.50 at 2004-10-03 02:20 CDT
sendto in send_tcp_raw: sendto(3, packet, 40, 0, xxx.xxx.xxx.xxx, 16) => Operation not permitted
Interesting ports on xxx.xxx.xxx.xxx.lem-bsr1.chi-lem.il.cable.rcn.com (xxx.xxx.xxx.xxx):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
20/tcp filtered ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http

FIrst of all what does this mean:
sendto in send_tcp_raw: sendto(3, packet, 40, 0, xxx.xxx.xxx.xxx, 16) => Operation not permitted

its repeats about 30 times and then finally displays the open ports....

I tried to run the follow command:

iptables -A INPUT -p tcp --dport 25 -j ACCEPT

and ran service iptables save

then ran nmap again to see if port 25 would show but it doesnt..

and i missing something?

THanks,

Lenny
 
Old 10-02-2004, 01:46 PM   #2
nukkel
Member
 
Registered: Mar 2003
Location: Belgium
Distribution: Hardened gentoo
Posts: 323

Rep: Reputation: 30
Hi,

nmap only shown ports as "open" when (1) iptables allows traffic to that port and (2) some server program is actually listening on that port -- so to see if port 25 is reachable you should first run the qmail server and only then run nmap to see if it can reach the port. Then it will show either "open" or "filtered".

cheers,
nukkel

P.S. those sendto errors -- I get them too sometimes, don't know exectly what triggers them though.
 
Old 10-19-2004, 08:52 AM   #3
Josep Lladonosa
LQ Newbie
 
Registered: Oct 2004
Distribution: debian
Posts: 1

Rep: Reputation: 1
In a working environment with iptables, it is supposed that
there are rules to accept traffic, and last rule to deny all.
If that is your case, by adding a new rule with -A,
what you do is to put the new rule AFTER the 'denyying all' rule, so it is never checked.

iptables -I INPUT -p tcp --dport 25 -j ACCEPT

Then, you can save rules as the new rule is in the correct place.

Another problem appears if the firewalling machine is also doing NAT. Then, to make ftp work, an iptables module must be loaded, as ftp (active) is an stateful protocol.
If not, make clients to use passive ftp.
 
1 members found this post helpful.
Old 06-16-2014, 02:43 PM   #4
pburwell
LQ Newbie
 
Registered: Jun 2010
Location: PA, USA | NJ, USA
Distribution: CentOS 6
Posts: 20

Rep: Reputation: 0
Quote:
Originally Posted by Josep Lladonosa View Post
In a working environment with iptables, it is supposed that
there are rules to accept traffic, and last rule to deny all.
If that is your case, by adding a new rule with -A,
what you do is to put the new rule AFTER the 'denyying all' rule, so it is never checked.

iptables -I INPUT -p tcp --dport 25 -j ACCEPT

Then, you can save rules as the new rule is in the correct place.

Another problem appears if the firewalling machine is also doing NAT. Then, to make ftp work, an iptables module must be loaded, as ftp (active) is an stateful protocol.
If not, make clients to use passive ftp.
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
 
Old 06-17-2014, 03:20 AM   #5
jacksonking112
LQ Newbie
 
Registered: Jun 2014
Posts: 5

Rep: Reputation: Disabled
CentOS has an extremely powerful firewall built in, commonly referred to as iptables, but more accurately is iptables/netfilter. Iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables. Netfilter is a kernel module, built into the kernel, that actually does the filtering. There are many GUI front ends for iptables that allow users to add or define rules based on a point and click user interface, but these often lack the flexibility of using the command line interface and limit the users understanding of what's really happening.
 
Old 07-01-2014, 12:52 PM   #6
mcresist
LQ Newbie
 
Registered: Jun 2014
Location: Michigian
Distribution: CentOS5/6/7
Posts: 13

Rep: Reputation: 3
Quote:
Originally Posted by lsimon4180 View Post

FIrst of all what does this mean:
sendto in send_tcp_raw: sendto(3, packet, 40, 0, xxx.xxx.xxx.xxx, 16) => Operation not permitted

its repeats about 30 times and then finally displays the open ports....
Are you running nmap as a user without elevated privileges ? I believe nmap requires elevated privileges to be able to open a raw connection.
 
Old 07-07-2014, 03:59 AM   #7
anindyameister
Member
 
Registered: Oct 2012
Posts: 40

Rep: Reputation: Disabled
You can insert a rule by mentioning position instead of appending by using -I instead of -A.

From Fedoraproject:

Code:
 Inserting Rules

Create a Rule at the top (first) position:

[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

The number given after the chain name indicates the position before an existing Rule. So, for example, if you want to insert a Rule before the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain.
 
Old 07-07-2014, 02:06 PM   #8
baldur_1
Member
 
Registered: Sep 2010
Posts: 51

Rep: Reputation: 5
i have been using linux for many years now, 15 i think. i used to use iptables and was always very frustrated. one thing i would seriously consider it changing to shorewall. it is so, SO much easier to configure and still uses ipchains for protection. once i switched and took a few minutes to understand it, i have never had firewall issues since!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I open up ports in iptables? ekerik Linux - Networking 13 10-07-2009 11:00 AM
Open All Ports - iptables Artik Linux - Networking 2 06-21-2005 03:17 PM
ports open with iptables saugato Linux - Security 3 04-19-2005 01:31 AM
open ports with iptables? tykkea811 Linux - Networking 2 12-12-2004 01:43 AM
Iptables: Open some ports! Abomm Linux - Networking 2 05-31-2002 01:49 AM


All times are GMT -5. The time now is 08:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration