I have a CentOS 6 as VM on a Windows box. I can use Putty to connect to the machine (on port 22) but can't connect via client applications (pgAdmin) or via telnet mytargetvmip 5432 to the postgresql (I did modify the pg_hba.conf file).
Here is what I have done: I changed the ip tables file and then do a service iptables restart command but to no good.
Please note, in the given iptables file, I had also tried iptables -I INPUT 1 -m tcp -p tcp --dport 5432 -j ACCEPT just before COMMIT but no luck. I want to be able to connect via any remote IP.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
COMMIT
Thanks.
Never mind, in addition to pg_hba.conf file, I also had to modify the postgresql.conf file to uncomment and make the listen_address to "*". After that, I removed my entry for port 5432 from the iptables file and then the following commands:
iptables -I INPUT 1 -m tcp -p tcp --dport 5432 -j ACCEPT
service iptables save
service iptables restart
Everything works.
HTH
Related
I have to allow port 9000 so sonarqube can be accessible, so I flushed the IPTABLE and add the below configuration, but from then below things happening:
no external URL connecting
unable to FTP connect via filezilla (but
NFtp working)
Below is the configuration:
# Generated by iptables-save v1.4.7 on Thu Feb 1 08:11:50 2018
*filter
:INPUT DROP [19:1566]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:928]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
COMMIT
# Completed on Thu Feb 1 08:11:50 2018
Please help.
Centos 6.9
I finally able to configure where all things git, composer, jenkins are able to coomunicate to external world and I can able to ssh via mingw git bash, and the configuration script is:
#!/bin/bash
iptables -F
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/service iptables restart
/sbin/service network restart
iptables -L -v
My error:
# psql -U postgres -h 10.230.5.51
psql: could not connect to server: Connection refused
Is the server running on host "10.230.5.51" and accepting
TCP/IP connections on port 5432?
in postgresql.conf:
listen_addresses = '*'
port = 5432 # (change requires restart)
I have added the client server in pg_hba.conf (username/database replaced by X)
host X X 10.230.5.21 md5
host X X 10.230.5.22 md5
Before I added those in the pg_hba.conf, it gave me this error:
# psql -U postgres -h 10.230.5.51
psql: FATAL: no pg_hba.conf entry for host "10.230.5.22", user "X", database "X", SSL on
FATAL: no pg_hba.conf entry for host "10.230.5.22", user "X", database "X", SSL off
So I assume the first steps I have taken are correct?
The last step I feel like I may be missing, could be iptables. they look like this:
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 10.230.4.0/22 -j LOCAL
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8010 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A LOCAL -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A LOCAL -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 2888 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 3888 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 7000 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 7001 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 9042 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 9160 -j ACCEPT
Is the iptables ok? I can see that port 5432 is on the list. Is the connection being refused by another rule before that? iptable commands are weird.
General information:
Both computers are running linux. I did not originally setup the database. The database is running fine, but only locally, even though this happened when running the command on the server with postgres database:
# psql -U postgres -h localhost
psql: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
I faced the same problem in PostgreSQL 9.6 and I resolved in the following way.
sudo nano /etc/postgresql/9.6/main/postgresql.conf
put '*' instead of localhost on the following line and removed comment sign(#)
listen_addresses = '*'
Add the following line in pg_hba.conf
#TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 0.0.0.0/0 md5
Restart the service:
(Ubuntu) sudo service postgresql restart
Do following
Update : /var/lib/pgsql/<version>/data/postgresql.conf
change : #listen_addresses = 'localhost' to listen_addresses = '*'
restart service
Check if you did not switch DATABASE with USERNAME.
This also happened to me and this fixed it. The correct syntax is:
host DATABASE USERNAME ADDRESS METHOD
I am redirecting requests from port 6080 to port 80:
cd /etc/httpd/conf/httpd.conf
<virtualHost *:80>
ProxyRequests off
ProxyPass / http://localhost:6080/
ProxyPassReverse / http://localhost:6080/
</VirtualHost>
and I have port 80 open :
cd /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2440:360634]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
and I checked with netstat to make sure it is listening.
When I use wget localhost:80 and I got the index.html retrieved however when I try to get the html from browser, I get:
"this webpage is not available".
How can I access to this port from outside?
This line is incorrect:
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
Port 80 is suppose to be TCP (not UDP) so change to:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Remove the line below because it is doesn't help and is covered by the rule above:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Do you really want port 6080 exposed to the outside world?If not remove
-A INPUT -p udp -m state --state NEW -m udp --dport 6080 -j ACCEPT
I should point out that removing this line probably won't hurt anything because it too was specified as using UDP and not TCP. If you did want it exposed to the outside world then you'll have to change it too. Generally when you do proxying internally behind a firewall you don't intend to expose the internal port so I would be very suspicious. If for some reason beyond my ability to understand you really do need to expose it too then you'll have to change the port 6080 line to:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6080 -j ACCEPT
I believe it should look like this:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2440:360634]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Looks like you're missing '--state NEW' on the line where you open port 80.
I got my iptables loaded in the /etc/sysconfig/iptables .
# Generated by iptables-save v1.4.21 on Tue Sep 9 18:38:38 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1312]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10101 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
COMMIT
# Completed on Tue Sep 9 18:38:38 2014
When i run Lynis to audit my server i get the following response .
- Found possible unused iptables rules (3 4 5 6 7 8 9 10 11 12 13 14) [test:FIRE-4513]
It states found "possible" unused iptables is this due to a wrong order of my iptables ?
thanks in advance for any leads .
Check out the related iptables command and see what rules apply. Then check your netstat -an output and determine if those services are running and get traffic.
If you believe there is traffic and the results stay the same, contact the author of Lynis (lynis-dev#domain)
I'm trying to set up my server to block all incoming traffic except for SSH from anywhere, and HTTP when from localhost (so that I have to tunnel in to use the webserver).
Here are my rules, as generated by iptables-save.
*filter
:INPUT ACCEPT [10:536]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:1140]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j DROP
COMMIT
SSH works fine, but wget localhost still doesn't work.
How come?
This works for me:
$ cat rules
# Generated by iptables-save v1.4.21 on Mon Aug 25 15:06:42 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -i lo -p tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Mon Aug 25 15:06:42 2014
$ sudo iptables-apply rules
Applying new iptables rules from 'rules'... done.
Can you establish NEW connections to the machine? (y/N) y
... then my job is done. See you next time.
$ curl http://127.0.0.1/
<!DOCTYPE html>
<html>
...