issues with opening ports in CENTOS 5

Brothermarkinter · 03-03-2012, 03:38 PM

Okay I have been trying to figure out why I cannot get my ports to open in iptables so I thought I would seek some help. I hope everyone is ready for a challenge!

I need to have TCP ports 6000-6010 open and UDP ports 5000-15000 open.

So my /etc/sysconfig/iptables looked like this

Quote:

# Generated by iptables-save v1.3.5 on Sat Mar 3 16:08:32 2012
*mangle
:PREROUTING ACCEPT [124:10272]
:INPUT ACCEPT [123:10224]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [102:8250]
:POSTROUTING ACCEPT [102:8250]
COMMIT

However when I came back an hour later took another look it turned out like this

Quote:

# Generated by iptables-save v1.3.5 on Sat Mar 3 16:08:32 2012
*mangle
:PREROUTING ACCEPT [124:10272]
:INPUT ACCEPT [123:10224]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [102:8250]
:POSTROUTING ACCEPT [102:8250]
COMMIT
# Completed on Sat Mar 3 16:08:32 2012
# Generated by iptables-save v1.3.5 on Sat Mar 3 16:08:32 2012
*filter
:INPUT DROP [10:592]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
:fail2ban-SSH - [0:0]
-A INPUT -j VZ_INPUT
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A FORWARD -j VZ_FORWARD
-A OUTPUT -j VZ_OUTPUT
-A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 137 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 137 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 138 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 138 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 139 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p tcp -j ACCEPT
-A VZ_OUTPUT -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 23 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 137 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 137 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 138 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 138 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 139 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 139 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 20:21 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 32768:65535 -j ACCEPT
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Sat Mar 3 16:08:32 2012
# Generated by iptables-save v1.3.5 on Sat Mar 3 16:08:32 2012
*nat
:PREROUTING ACCEPT [62:3872]
:POSTROUTING ACCEPT [10:830]
:OUTPUT ACCEPT [10:830]
COMMIT
# Completed on Sat Mar 3 16:08:32 2012

I have also tried scripting a script for this an it looks like this

Quote:

/bin/bash

#iptables test script

#Clear script

iptables -F

#SSH Terminal
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -j ACCEPT

#Camfrog TCP range
iptables -A INPUT -p tcp --dport 6000:6010 -j ACCEPT

#UDP Range
iptables -A INPUT -p tcp --dport 5000:15000 -j ACCEPT

#Webserver port

iptables -A INPUT -p tcp --dport 5999 -j ACCEPT

#Forwording and output
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -L

Still it does not work properly and my iptables shows up like:

Quote:

Chain INPUT (policy ACCEPT)
target prot opt source destination
VZ_INPUT all -- anywhere anywhere
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
VZ_FORWARD all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
VZ_OUTPUT all -- anywhere anywhere

Chain VZ_FORWARD (1 references)
target prot opt source destination

Chain VZ_INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt

op3
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpts:filenet-tms:65535
ACCEPT udp -- anywhere anywhere udp dpts:filenet-tms:65535
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt

csync-https
ACCEPT tcp -- localhost.localdomain localhost.localdomain
ACCEPT udp -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp dpts:filenet-tms:65535

Chain VZ_OUTPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT tcp -- anywhere anywhere tcp spt

op3
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp spt

csync-https
ACCEPT tcp -- localhost.localdomain localhost.localdomain
ACCEPT udp -- localhost.localdomain localhost.localdomain
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:telnet
ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ns
ACCEPT udp -- anywhere anywhere udp spt:netbios-ns
ACCEPT tcp -- anywhere anywhere tcp spt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ssn
ACCEPT udp -- anywhere anywhere udp spt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp spts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp spts:filenet-tms:65535

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Any help would be greatly appricated. I'm trying to set up a camfrogserver if that's helpful. Thank you in advance

harry edwards · 03-03-2012, 04:14 PM

What is VZ_INPUT? Are you using some virtual hosting, or, firewall manager e.g. smoothwall. The VZ_INPUT and VZ_OUTPUT are not part of the default CentOS installed. Thus, I am guessing some other software is managing your firewall.

Brothermarkinter · 03-03-2012, 05:59 PM

Yes I am on a virtual server. Any ideas on how to block out that software?

harry edwards · 03-04-2012, 03:06 AM

If your VPS providers are providing a firewall it is normally configurable through a management front end. It may be easier for you to ask your VPS provider's support team for advice.