We Keep Coding

Open Port Issue on CentOS

I'm working on a CentOS 6 machine. I've tried to follow the following guides:
How to open port in centOS
http://ask.xmodulo.com/open-port-firewall-centos-rhel.html
If I run nmap ipofmachine on the target machine I have this strange result.
Host is up (0.0079s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
8080/tcp closed http-proxy
Still, when I run sudo iptables -L I have the following output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Am I missing something? Let me know if you need more information (I'm trying to open port 8080).

In order to allow connections on a specific port you must configure the CentoOS firewall:
> sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp
> sudo firewall-cmd --reload
You need to configure privilege elevation with sudo

If you are using IPTables, add the following rule into etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
Then run the following command to save: iptables-restore < /etc/sysconfig/iptables

iptable rules for port forwarding and blocking

I would like to know your professional opinions on the following rule for iptables. I know it is possible to move cPanel's port but it's not so easy for WHM and some other services etc.
I needed something to route a new private port i.e. 1234 to the service while blocking the default port i.e. 2083. In my head, the following rule does this:
Marks the packets incoming on the private port
Redirects the packets to the actual port
Only accepts marked packets on the actual port
Note: The policies are defaulted to DROP all NEW connections
The rules below are working as expected, but before I go and get too excited that the job is done, I wanted a pro opinion on it first. The rules, and preceding context:
# Policy defaults
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Accept anything to/from localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept anything established/related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# --------------------------------------------------------------------
# Port forward and block (cPanel)
iptables -A PREROUTING -t mangle -p tcp --dport 1234 -j MARK --set-mark 0x400
iptables -A PREROUTING -t nat -p tcp --dport 1234 -j REDIRECT --to-ports 2083
iptables -A INPUT -p tcp --dport 2083 -m mark --mark 0x400/0x400 -m state --state NEW -j ACCEPT -m comment --comment "cPanel (Secure)"
Im no iptables wizzkid but it seems to work, Is this fairly secure?
Thanks in advance

Iptables Prevent Flooding

I know you can limit number of connections per ip, per time interval etc, but what I am wanting is amount of data.
I'm hosting a socket server, and I thought rather than making it do the processing to check for flooding - offload it to the firewall. I know you can guard against syn flooding attacks, like mentioned here:
http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
For example:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
I'm not sure what iptables can do, so the question is a bit vague. But since web-sockets use tcp I should be able to limit number of bytes per second. And flag connections exceeding that limit or just drop them, whatever.
I can't seem to find a good reference on this, as they are all about tracking connections etc, not data transfer. Does anyone know of a good reference or how to do this? Is iptables not a good firewall for this? if not what is?

The kernel-side firewall is the fastest and the most secure software solution (difficult to kill the kernel isn't it?). Using it have also the advantage to use the hardware firewall found on some network controllers.
Iptables is the primary tool for controlling it, but there are many others frontends with easier syntax.
If you want to configure easier, you should use this :.
Keep in mind tracking byte count for each IP can use lot of memory.
In your case I would install ipset, which is developed by the same team of iptables :
#create ipset for accounting with default lifetime 300 secs
ipset create IP_QUOTA_SET hash:ip timeout 300 counters
#create separated rule chain
iptables --new-chain PER_IP_QOUTING
#send packets to chain
iptables -t filter -A INPUT \
-i <in-iface> --dst <ip> \
-p tcp --dport <dstport> \
-j PER_IP_QUOTING
#if ip doesn't exist in the set, add it
iptables -t filter -A PER_IP_QUOTING \
-m set ! --match-set IP_QUOTA_SET src \
-j SET --add-set IP_QUOTA_SET src --timeout 300
#if packet exists in the set, check bytes
#if byte counter > quota then drop packet
iptables -t filter -A PER_IP_QUOTING \
-m set --match-set IP_QUOTA_SET src \
--bytes-gr 1000 -j DROP
#pass other packets (for debug purpose)
iptables -t filter -A PER_IP_QUOTING \
-j RETURN
In this case you can check the list and edit it by ipset command.
To show current list with counters and timeouts :ipset list IP_QUOTA_SET.
STRONG NOTE : iptables is Linux specific and is available since linux 2.4. The kernel implementation along the userspace tools did change in 2.0 and 2.2 previously.
The 3.13 version introduced a new change which will replace ipset; arptables; ebtables; ip6tables, and iptables with a single tool.
As with previous versions, their will be a transition period where frontends like vuurmuur will remain compatible with the kernel, but don't expect to use iptables in the future.

You can try the iptable command mark together with tc (traffic-shaping):http://www.amiryan.org/2009/02/16/traffic-shaping-under-linux-with-tc-and-iptables/.

Docker: ping: unknown host yahoo.com

Here are all the things I tried:
Ran docker deamon with -dns:
sudo docker -d -dns 8.8.8.8
Made sure that IP forwarding is enabled:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Nameservers are in place:
$ docker -dns '8.8.8.8' run centos:6.4 ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 12000ms
Appreciate any suggestions.

It sounds like Docker's automatic iptables configuration is not working. This can often occur if you've changed the host IP address without restarting the Docker daemon. I would try the following:
Ensure you can ping from the host (just to be sure!)
Restart the Docker daemon and try again (this should reset iptables configuration)
Inspect the output from iptables --list --table nat
Mine looks as so:
# iptables --list --table nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- <redacted>/24 !<redacted>/24
MASQUERADE all -- <redacted>/16 !<redacted>/16
Chain DOCKER (2 references)
target prot opt source destination

Changing the incoming interface of the packet using iptables MARK and ip route commands

I was trying to change the incoming interface of the packet using iptables MARK and ip route commands.
I have tried this approach which suggests the use of iptable Mark and iproute2 utilities instead of ROUTE target, but could not find any success changing the incoming interface of the packet in the receiving path.
I have an application 'A' which binds to an interface intfA in linux i.e the application sends and receives packets only on via intfA.
Sending path
In a tunnel based setup, I was able to send packet's out from intfA to tap0 using the following iptable commands:
iptables -t mangle -A OUTPUT -d 8.9.10.11/32 -j MARK --set-mark 1
ip rule add fwmark 1 priority 9000 table 1
My default routing entry in main table is pointing to intfA
In table '1' I have made the default routing table entry point to tap0:
route add default dev tap0 table 1
I could observe from the kernel dmesg logs that the outgoing interface of the packet changed succesfully from intfA to tap0.
In the return path
After tap0 gets the encrypted packet from tunnel, it decrypts it and injects the plain text packet with destination 'a.b.c.d' into the linux kernel via the tap0 interface.
So at the kernel prerouting hook, I see the packet coming with IP = 'a.b.c.d' and with incoming tap0.
Following iptable rules were used to change the incoming interface:
iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j MARK --set-mark 2
ip rule add fwmark 2 priority 8000 table 2
In table '2' I have made the default routing table entry point to intfA:
route add default dev intfA table 2
I tried to log the packets at the PREROUTING hook and the INPUT hook using the following iptable commands:
iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN PREOUTING: "
iptables -t mangle -A INPUT -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN INPUT: "
I was hoping the incoming interface of the packet to be changed from tap0 to intfA between the PREROUTING hook and INPUT hook. But suprisingly the interface doesn't change in both the kernel log trace. I could see the incoming packets marked with mark 2 as well.
From the dmesg log's i confirmed that the Incoming interface still remains as tap0 after the INPUT hook.
I wanted to understand the reason behind this behaviour for the iptables commands I have used. Not sure if I missed anything in iptables commands I used which is causing this issue.

I have the same problem. As a temporary solution I've found that -j TEE target helps:
iptables -t mangle -A PREROUTING [options] -j TEE --gateway IP
In your case, fill [options] and the gateway's IP (intfA address) with your values.