ssh deeper

hsnanua · 09-22-2011, 11:28 PM

Dear all,

This is quite a parculiar problem.

I have my iptables as below. I wish to open port 5600 but somehow, nothing happens. I want to ssh into the port, but no use.

PLease help

Code:

# Generated by iptables-save v1.3.5 on Thu Dec 16 10:40:00 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104956494:7410857183]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -d 172.30.232.135 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -d 172.30.232.136 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 83.96.144.9 -p tcp -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.103.0.0/255.255.0.0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2675 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2677 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2135 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2136 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 47122 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.103.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3668 -j ACCEPT

# Allow port 80 only when accessed from the cluster
-A RH-Firewall-1-INPUT -s 10.103.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.103.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp --dport 8880 -j ACCEPT

# Only allow port 80 from outside the cluster to the web server
-A RH-Firewall-1-INPUT -d 195.88.18.13 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -d 195.88.18.12 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -d 195.88.18.11 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -d 195.88.18.8  -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 195.88.18.8  -p tcp -m state --state NEW -m tcp --dport 47122 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 195.88.18.8  -p tcp -m state --state NEW -m tcp --dport 8880 -j ACCEPT

# MySQL access from outside the cluster to the reporting server
-A RH-Firewall-1-INPUT -d 195.88.18.13 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

# -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -d 10.103.4.40 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Dec 16 10:40:00 2010
# Generated by iptables-save v1.3.5 on Thu Dec 16 10:40:00 2010
*nat
:PREROUTING ACCEPT [58628481:16860954476]
:POSTROUTING ACCEPT [133127:10110394]
:OUTPUT ACCEPT [34649975:2081168594]
#-A PREROUTING -d 195.88.18.200 -i bond0.18 -p tcp -j DNAT --to-destination 10.103.4.40
-A POSTROUTING -s 10.103.0.0/255.255.0.0 -j MASQUERADE
COMMIT

Nestat

Code:

[root@lb-01 sysconfig]# netstat -an |grep LISTEN
tcp        0      0 127.0.0.1:8001              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:8002              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:8003              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:8004              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:8880                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:2675                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:2676                0.0.0.0:*                   LISTEN
tcp        0      0 10.103.0.1:53               0.0.0.0:*                   LISTEN
tcp        0      0 10.103.0.1:22               0.0.0.0:*                   LISTEN
tcp        0      0 :::1311                     :::*                        LISTEN

Code:

[root@lb-01 sysconfig]# ssh 195.88.18.8 -p 5600
ssh: connect to host 195.88.18.8 port 5600: Connection refused

Thanks

acid_kewpie · 09-23-2011, 01:26 AM

what's peculiar about this?? I don't see any reason at all why this should work

1) there is nothing listening on port 5600
2) there is no iptables rules about 5600 at all

Why would expect this to work?? That's all assuming that this box IS 195.88.18.8 in the first place... is that right? You've said nothign useful about your system / environment. just dumping random command outputs is not exactly useful.

hsnanua · 09-23-2011, 02:06 AM

apologies... i am looking fo port 5900..not 5600...typo...

acid_kewpie · 09-23-2011, 03:03 AM

ok, well point 1 still stands.

hsnanua · 09-23-2011, 03:14 AM

I tried to telnet into 195.88.18.8 port 5900, but no avail. How do i make it to listen. I mean, based on the iptables, it should be opened right?

thanks

acid_kewpie · 09-23-2011, 03:15 AM

you need something to be there. I'm guessing VNC here? you do not "open" ports with iptables, you stop them being dropped. nothing will every magicially happen by iptables permitting traffic.

hsnanua · 09-23-2011, 05:02 AM

Dear all,

A simple question here.

I have a cluster of servers in my farm...

Load Balancer
|
|
application server

I would like to do some GUI maintenance on the server, which is on 195.88.18.8 on port 5900. However, when i go on my browser and key in 195.88.18.8:5900... i get denied!....

I added the port in the iptables in the load balancer...

Still nothing...

Below is the iptables

Code:

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2677 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2135 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2136 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 47122 -j ACCEP
T
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT

-A RH-Firewall-1-INPUT -s 10.103.0.0/255.255.0.0 -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT

# Allow port 80 only when accessed from the cluster
-A RH-Firewall-1-INPUT -s 10.103.0.0/255.255.0.0 -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.103.0.0/255.255.0.0 -p tcp -m state --state NEW -m
tcp --dport 8880 -j ACCEPT

# Only allow port 80 from outside the cluster to the web server
-A RH-Firewall-1-INPUT -d 195.88.18.13 -p tcp -m state --state NEW -m tcp --dpor
t 80 -j ACCEPT
-A RH-Firewall-1-INPUT -d 195.88.18.12 -p tcp -m state --state NEW -m tcp --dpor
t 80 -j ACCEPT

Code:

[root@lb-01 sysconfig]# /etc/init.d/sshd status
openssh-daemon (pid  2889) is running...

Code:

[root@lb-01 sysconfig]# netstat -an | grep LISTEN
tcp        0      0 127.0.0.1:8001              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:8002              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:8003              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:8004              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:8880                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:2675                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:2676                0.0.0.0:*                   LISTEN
tcp        0      0 10.103.0.1:53               0.0.0.0:*                   LISTEN
tcp        0      0 10.103.0.1:22               0.0.0.0:*                   LISTEN
tcp        0      0 :::1311                     :::*                        LISTEN

hELP ME

druuna · 09-23-2011, 07:40 AM

Hi,

There is an iptables entry for port 5900, that seems to be correct (run iptables -L to chec,k after restarting iptables). But.....

Looking at the netstat output, there is nothing listening on port 5900. Did you forget to start the associated service?

Hope this helps.

etech3 · 09-23-2011, 07:41 AM

Quote:

I would like to do some GUI maintenance on the server, which is on 195.88.18.8 on port 5900. However, when i go on my browser and key in 195.88.18.8:5900... i get denied!....

You do have ssh server and client installed on each machine?

Do you have apache installed?

What about webmin?

gui on the server, just use comamnd line.

Port 5900 is VNC, did you set up VNC with passwords? Did you install VNC on all machines?

druuna · 09-23-2011, 07:47 AM

@hsnanua

I just noticed this: port dead

Cross-posting is against the LQ rules.

Lexus45 · 09-23-2011, 08:24 AM

There's nothing listening on the 5900 port.

hsnanua · 09-23-2011, 09:15 AM

Hi,

Apologies, the issue is somewhat different. But how can i delete the previous post? I wish to close that one.

Anyway, I try to explain again in a better way in more graphical way.

I have my load balancer. Behind the load balancer is the application server, which contains an php-gui application. The application server does not have a public ip.

A host from outside needs to access this application, but first has to pass thru the load balancer. I opened (allowed) port 5900 to come in.

The ip of the cluster is 195.88.18.8

So, from my web browser, i key in

http://195.88.18.8:5900/application-gui

But nothing-denied.

Its not even listening the port.

Help me

hsnanua · 09-23-2011, 09:41 AM

In addition, using open ports

http://www.yougetsignal.com/tools/open-ports/

My port is closed.
Port 5900 is closed on 195.88.18.8.

arggh... shouldn't be

Help help help

hsnanua · 09-23-2011, 10:12 AM

Another point is that port 47122 opens the ssh into the port.

for example.

ssh -l root 195.88.18.8 -p 47122
is ok

but ssh -l root 195.88.18.8 -p 5900 is refused

I am seeing that the rules are the same in iptables and in sshd_config there is nothing about these ports.

Am i missing a step?

hsnanua · 09-23-2011, 11:14 AM

IN addition, i created a php script to use port 5900.

i run the script on the app server.
Then on the load balancer i did a netstat and port 5900 not listening.

I am at my wits end here.
help