Opening port on machine - Security

This is a discussion on Opening port on machine - Security ; Hi, I'm using Red Hat Enterprise Linux ES release 4 (Nahant Update 3) and have used the system-config-securitylevel utility to open port 5505 on the firewall. The iptables config now looks like this: # Firewall configuration written by system-config-securitylevel # ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Opening port on machine

  1. Opening port on machine

    Hi,

    I'm using Red Hat Enterprise Linux ES release 4 (Nahant Update 3) and
    have used the system-config-securitylevel utility to open port 5505 on
    the firewall. The iptables config now looks like this:


    # Firewall configuration written by system-config-securitylevel
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5505
    -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT

    I restarted iptables successfully and would now expect to be able to
    telnet to that port on the machine locally as I'm expecting the port to
    have been opened and ready listening, however, I get connection
    refused.

    # telnet localhost 5505
    Trying 127.0.0.1...
    telnet: connect to address 127.0.0.1: Connection refused
    telnet: Unable to connect to remote host: Connection refused

    Can anyone help please as this seems to be a trivial problem that
    should be easy to sort out but I've been racking my brains for a while
    trying to get this to work.

    Many thx.

  2. Re: Opening port on machine

    On Fri, 15 Sep 2006 02:21:06 -0700 cris.pini wrote:

    > Hi,
    >
    > I'm using Red Hat Enterprise Linux ES release 4 (Nahant Update 3) and
    > have used the system-config-securitylevel utility to open port 5505 on
    > the firewall. The iptables config now looks like this:
    >
    >
    > # Firewall configuration written by system-config-securitylevel
    > # Manual customization of this file is not recommended.
    > *filter
    > :INPUT ACCEPT [0:0]
    > :FORWARD ACCEPT [0:0]
    > :OUTPUT ACCEPT [0:0]
    > :RH-Firewall-1-INPUT - [0:0]
    > -A INPUT -j RH-Firewall-1-INPUT
    > -A FORWARD -j RH-Firewall-1-INPUT
    > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
    > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5505
    > -j ACCEPT
    > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    > COMMIT

    Standard RHEL4 iptables setup with your port 5505/tcp add.

    > I restarted iptables successfully and would now expect to be able to
    > telnet to that port on the machine locally as I'm expecting the port to
    > have been opened and ready listening, however, I get connection
    > refused.

    service iptables status

    gives you a list of all active iptables rules.

    > # telnet localhost 5505
    > Trying 127.0.0.1...
    > telnet: connect to address 127.0.0.1: Connection refused
    > telnet: Unable to connect to remote host: Connection refused
    >
    > Can anyone help please as this seems to be a trivial problem that
    > should be easy to sort out but I've been racking my brains for a while
    > trying to get this to work.
    >
    > Many thx.

    There must be service listening on port 5505 to be successful with such a
    simple "telnet test".

    lsof -i :5505

    Alexander


    --
    Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
    legal statement: http://www.uni-x.org/legal.html
    Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
    Serendipity 12:34:12 up 8 days, 14:43, load average: 0.15, 0.18, 0.07

  3. Re: Opening port on machine


    Alexander Dalloz wrote:

    > On Fri, 15 Sep 2006 02:21:06 -0700 cris.pini wrote:
    >
    > > Hi,
    > >
    > > I'm using Red Hat Enterprise Linux ES release 4 (Nahant Update 3) and
    > > have used the system-config-securitylevel utility to open port 5505 on
    > > the firewall. The iptables config now looks like this:
    > >
    > >
    > > # Firewall configuration written by system-config-securitylevel
    > > # Manual customization of this file is not recommended.
    > > *filter
    > > :INPUT ACCEPT [0:0]
    > > :FORWARD ACCEPT [0:0]
    > > :OUTPUT ACCEPT [0:0]
    > > :RH-Firewall-1-INPUT - [0:0]
    > > -A INPUT -j RH-Firewall-1-INPUT
    > > -A FORWARD -j RH-Firewall-1-INPUT
    > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    > > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
    > > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
    > > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    > > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    > > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
    > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
    > > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5505
    > > -j ACCEPT
    > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    > > COMMIT
    >
    > Standard RHEL4 iptables setup with your port 5505/tcp add.
    >
    > > I restarted iptables successfully and would now expect to be able to
    > > telnet to that port on the machine locally as I'm expecting the port to
    > > have been opened and ready listening, however, I get connection
    > > refused.
    >
    > service iptables status
    >
    > gives you a list of all active iptables rules.
    >
    > > # telnet localhost 5505
    > > Trying 127.0.0.1...
    > > telnet: connect to address 127.0.0.1: Connection refused
    > > telnet: Unable to connect to remote host: Connection refused
    > >
    > > Can anyone help please as this seems to be a trivial problem that
    > > should be easy to sort out but I've been racking my brains for a while
    > > trying to get this to work.
    > >
    > > Many thx.
    >
    > There must be service listening on port 5505 to be successful with such a
    > simple "telnet test".
    >
    > lsof -i :5505
    >
    > Alexander
    >
    >
    > --
    > Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
    > legal statement: http://www.uni-x.org/legal.html
    > Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
    > Serendipity 12:34:12 up 8 days, 14:43, load average: 0.15, 0.18, 0.07

    > There must be service listening on port 5505 to be successful with such a
    > simple "telnet test".
    >
    > lsof -i :5505

    Thx for this, running the lsof command above does not return anything
    and I'm guessing this is because I haven't bound my service to the
    port.

    Basically, I'm running a network monitoring daemon process that is
    listening for messages being carried over the socket via tcp using port
    5505 on remote hosts. Do I need to bind this service to the port or
    can't I just have an open port, if I need to bind can you advise as to
    how this is done pls. Thx

  4. Re: Opening port on machine

    On Fri, 15 Sep 2006 04:28:45 -0700 cris.pini wrote:

    >> There must be service listening on port 5505 to be successful with such a
    >> simple "telnet test".
    >>
    >> lsof -i :5505
    >
    > Thx for this, running the lsof command above does not return anything
    > and I'm guessing this is because I haven't bound my service to the
    > port.
    >
    > Basically, I'm running a network monitoring daemon process that is
    > listening for messages being carried over the socket via tcp using port
    > 5505 on remote hosts. Do I need to bind this service to the port or
    > can't I just have an open port, if I need to bind can you advise as to
    > how this is done pls. Thx

    You do not name that product, so it is difficult to answer for sure. But
    "network monitoring daemon ... listening for messages" sounds like a
    process which itself would bind on a network socket. Whether it is TCP or
    UDP (like remote syslogd logging) can't be said from my side. If UDP, you
    can't test it using telnet.
    All further depends on that specific application and how it is to be
    configured.

    Alexander


    --
    Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
    legal statement: http://www.uni-x.org/legal.html
    Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
    Serendipity 13:56:44 up 8 days, 16:06, load average: 0.21, 0.23, 0.19

+ Reply to Thread
« Firewall rules don't take effect | Re: Challenge-Response Systems (was: Re: New System(s) in place) »