iptables not opening port on centos

TungstenX · 12-24-2010, 03:53 AM

Hi all,

I'm trying to open port 119. I already have a few ports open. I've used webmin to open both incoming and outgoing ports.

iptables --list --numeric gives me:

Code:

...
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:119
...
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:119
...

The iptables config file looks like this:

Code:

...
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# nntp
-A INPUT -p tcp -m tcp --dport 119 -j ACCEPT
...
-A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# nntp
-A OUTPUT -p tcp -m tcp --dport 119 -j ACCEPT
...

But nmap -sT -PN localhost gives me:

Code:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-24 04:49 EST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 996 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
3128/tcp  open  squid-http
3306/tcp  open  mysql
10000/tcp open  snet-sensor-mgmt

I've restarted iptables, even rebooted the server.

Any ideas why it seems that iptables not always open ports?

Best regards,
TX

kaushalpatel1982 · 12-24-2010, 04:02 AM

Can you please provide the output of local listening interfaces using " netstat -l" ?

TungstenX · 12-24-2010, 04:16 AM

Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 *:mysql                     *:*                         LISTEN
tcp        0      0 [xxxxx]:http *:*                         LISTEN
tcp        0      0 *:ndmp                      *:*                         LISTEN
tcp        0      0 [xxxxx].:ssh *:*                         LISTEN
tcp        0      0 *:squid                     *:*                         LISTEN
tcp        0      0 *:smtp                      *:*                         LISTEN
tcp        0      0 [xxxxx]:https *:*                         LISTEN
udp        0      0 *:filenet-tms               *:*
udp        0      0 *:filenet-rpc               *:*
udp        0      0 *:ndmp                      *:*
udp        0      0 *:icpv2                     *:*
udp        0      0 *:bootpc                    *:*
udp        0      0 *:mdns                      *:*
udp        0      0 *:filenet-nch               *:*
udp        0      0 *:mdns                      *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     4844   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     5522   /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     5553   @/var/run/hald/dbus-CuQxZOAahw
unix  2      [ ACC ]     STREAM     LISTENING     5552   @/var/run/hald/dbus-TGq4a4Va0g
unix  2      [ ACC ]     STREAM     LISTENING     5466   /tmp/.font-unix/fs7100
unix  2      [ ACC ]     STREAM     LISTENING     5001   /var/lib/mysql/mysql.sock
unix  2      [ ACC ]     STREAM     LISTENING     5250   public/cleanup
unix  2      [ ACC ]     STREAM     LISTENING     5257   private/tlsmgr
unix  2      [ ACC ]     STREAM     LISTENING     5261   private/rewrite
unix  2      [ ACC ]     STREAM     LISTENING     5265   private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     5269   private/defer
unix  2      [ ACC ]     STREAM     LISTENING     5273   private/trace
unix  2      [ ACC ]     STREAM     LISTENING     5277   private/verify
unix  2      [ ACC ]     STREAM     LISTENING     5281   public/flush
unix  2      [ ACC ]     STREAM     LISTENING     5285   private/proxymap
unix  2      [ ACC ]     STREAM     LISTENING     5289   private/proxywrite
unix  2      [ ACC ]     STREAM     LISTENING     5295   private/smtp
unix  2      [ ACC ]     STREAM     LISTENING     5299   private/relay
unix  2      [ ACC ]     STREAM     LISTENING     5303   public/showq
unix  2      [ ACC ]     STREAM     LISTENING     5307   private/error
unix  2      [ ACC ]     STREAM     LISTENING     5311   private/retry
unix  2      [ ACC ]     STREAM     LISTENING     5315   private/discard
unix  2      [ ACC ]     STREAM     LISTENING     5319   private/local
unix  2      [ ACC ]     STREAM     LISTENING     5323   private/virtual
unix  2      [ ACC ]     STREAM     LISTENING     5327   private/lmtp
unix  2      [ ACC ]     STREAM     LISTENING     5331   private/anvil
unix  2      [ ACC ]     STREAM     LISTENING     5335   private/scache
unix  2      [ ACC ]     STREAM     LISTENING     5339   private/dovecot
unix  2      [ ACC ]     STREAM     LISTENING     7185   /var/run/lighttpd/php-fastcgi.socket-0
unix  2      [ ACC ]     STREAM     LISTENING     7188   /var/run/lighttpd/php-fastcgi.socket-1
unix  2      [ ACC ]     STREAM     LISTENING     7191   /var/run/lighttpd/php-fastcgi.socket-2
unix  2      [ ACC ]     STREAM     LISTENING     7200   /var/run/lighttpd/php-fastcgi.socket-3

kaushalpatel1982 · 12-24-2010, 08:31 AM

I didn't see the service is being listen on the server. Basically NNTP service is using port 119 and it's not listed. Please check your configuration.

win32sux · 12-24-2010, 03:58 PM

Yeah it sounds like you don't have anything listening on port 119. That needs to happen in order for the port to be open. Simply creating a rule to allow TCP packets with destination port 119 on them doesn't open the port. An easier way to check for the listening process is:

Code:

netstat -an --inet | grep LISTEN