Results 1 to 5 of 5

Thread: yast FIREWALL configuration

  1. #1

    Default yast FIREWALL configuration

    Hello,

    In yast I have setup/open ports
    22 (ssh)
    25 (smtp)
    53 (dns)
    80 (http)
    443 (https)
    465 (smtps)
    993 (imaps)
    10000 (webmin)

    Problem is that I can't access server/webmin from internet by typing https://my_ip_address:10000 ...
    I can only access webmin on port 10000 if accessed from local network. All the ports in my router are opened and pointing to internal ip address of a server. However, I find it strange that I can easy connect to port 22 (ssh) from internet but not to port 10000?

    Also if I run command nmap -v -sS -O 127.0.0.1 from konsole I get the following output:

    Starting Nmap 4.75 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-09-11 23:51 JST
    Initiating SYN Stealth Scan at 23:51
    Scanning localhost (127.0.0.1) [1000 ports]
    Discovered open port 22/tcp on 127.0.0.1
    Discovered open port 25/tcp on 127.0.0.1
    Discovered open port 111/tcp on 127.0.0.1
    Discovered open port 631/tcp on 127.0.0.1
    Completed SYN Stealth Scan at 23:51, 0.03s elapsed (1000 total ports)
    Initiating OS detection (try #1) against localhost (127.0.0.1)
    Host localhost (127.0.0.1) appears to be up ... good.
    Interesting ports on localhost (127.0.0.1):
    Not shown: 996 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    25/tcp open smtp
    111/tcp open rpcbind
    631/tcp open ipp
    Device type: general purpose
    Running: Linux 2.6.X
    OS details: Linux 2.6.17 - 2.6.25
    Uptime guess: 0.073 days (since Fri Sep 11 22:06:46 2009)
    Network Distance: 0 hops
    TCP Sequence Prediction: Difficulty=200 (Good luck!)
    IP ID Sequence Generation: All zeros

    Read data files from: /usr/share/nmap
    OS detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
    Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
    Raw packets sent: 1019 (45.598KB) | Rcvd: 2045 (87.076KB)

    How come there are open ports (111, 631) in my fresh installation if they are not shown as open in yast firewal configuration.
    Most important is why port 10000 is not showing/opened as configured in yast firewal?

    Thanks

  2. #2

    Default Re: yast FIREWALL configuration

    and here is the output of iptables which shows different output ..

    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED
    input_ext all -- 0.0.0.0/0 0.0.0.0/0
    input_ext all -- 0.0.0.0/0 0.0.0.0/0
    input_ext all -- 0.0.0.0/0 0.0.0.0/0
    LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN- ILL-TARGET '
    DROP all -- 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
    LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD -ILL-ROUTING '

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
    LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT -ERROR '

    Chain forward_ext (0 references)
    target prot opt source destination

    Chain input_ext (3 references)
    target prot opt source destination
    DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG fl ags 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:993 flags:0x17/0x02 LOG flag s 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flag s 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:53 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0x17/0x02 LOG flag s 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:443
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 leve l 4 prefix `SFW2-INext-DROP-DEFLT '
    DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
    LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 leve l 4 prefix `SFW2-INext-DROP-DEFLT '
    LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INe xt-DROP-DEFLT '
    LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INe xt-DROP-DEFLT '
    LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 pr efix `SFW2-INext-DROP-DEFLT-INV '
    DROP all -- 0.0.0.0/0 0.0.0.0/0

    Chain reject_func (0 references)
    target prot opt source destination
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
    REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable

  3. #3

    Default Re: yast FIREWALL configuration

    This if /var/log/firewall output when trying to connect from internet to port 10000

    Sep 12 00:38:42 linux-pinguin kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=----------------------------------------- SRC=85.25.130.90 DST=192.168.0.10 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=41642 DF PROTO=TCP SPT=2100 DPT=10000 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204055801010402)
    Sep 12 00:38:43 linux-pinguin kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=----------------------------------------- SRC=85.25.130.90 DST=192.168.0.10 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=41645 DF PROTO=TCP SPT=2100 DPT=10000 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204055801010402)
    Sep 12 00:38:44 linux-pinguin kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=----------------------------------------- SRC=85.25.130.90 DST=192.168.0.10 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=41647 DF PROTO=TCP SPT=2100 DPT=10000 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204055801010402)

  4. #4
    Join Date
    Mar 2008
    Location
    Oz
    Posts
    11,731
    Blog Entries
    2

    Default Re: yast FIREWALL configuration

    This is well beyond me but here's a drive by thought: try turning off iptables or maybe just su then "rcSuSEfirewall2 stop" to see if the routing and port forwarding works (maybe it's not the firewall).

    And this is a bit interesting too: webmin port 10000 not going through - LinuxQuestions.org
    Leap 42.3 & 15.1 &KDE
    FYIs from the days of yore

  5. #5

    Default Re: yast FIREWALL configuration

    @swerdna,

    thank you for your reply, however I have already found the problem, there was a problem because webmin was blocking all IPs except local ones. I have just added extra IP and restarted webmin.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •