Find the answer to your Linux question:
Results 1 to 9 of 9
I am trying to run an application on Redhat Linux on a non-standard port. I have a firewall that uses iptables. I created a script that will first flush the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    14

    problem with iptables firewall


    I am trying to run an application on Redhat Linux on a non-standard port. I have a firewall that uses iptables. I created a script that will first flush the iptables rules, then load the rules.

    So, to open port 9090, I added this:

    /sbin/iptables -A INPUT -p tcp --dport 9090 -j ACCEPT

    I then run the script to update the iptables.

    I run nmap -p 9090 my.ip and it shows that port 9090 is closed.

    If I flush the iptables and try it again, I get the same thing.

    Does the port have to be attached to some application to show as being open, or is it open just by virtue of the iptable rule? It almost appears as the iptables are not doing anything.

    Obviously, I am a bit confused and would appreciate any tips.

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by manouche
    I run nmap -p 9090 my.ip and it shows that port 9090 is closed.
    That means the tcp port is not being filtered, but there is no daemon listening there.

    If you hadn't added that rule, it would show 'filtered' (not 'closed'). Once there is a daemon listening, it will show 'open'.

  3. #3
    Just Joined!
    Join Date
    Oct 2007
    Posts
    14
    If I comment out or remove that rule, update the firewall and run nmap again, this is what it shows:

    The 1 scanned port on mydoman.com (xxx.xxx.xxx.x) is: closed

    It says nothing about being 'filtered'.

  4. #4
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,755
    In networking, a port is "open" because when you send data to it, something (typically an application) responds.

    When iptables was blocking, nothing responded, so nmap shows a "closed" port. When you told iptables to allow port 9090 through to the OS, it did so, but still nothing responded, so nmap still says "closed."

    You can review the nmap documentation to see how it scans in order to decide if a port is open/closed - there are many ways to scan a machine.

  5. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    There's another distinction I should have made. A tcp port will show as 'filtered' if you have a rule (or policy) to DROP packets, and the scan hits that rule.

    If your default rule at the end of your chain is to REJECT, that will send an icmp port unreachable response. In that case, the tcp port will show as 'closed'.

    In your case, assuming you do have a REJECT rule, the status of 'closed' is ambiguous. You can test your rule out further by using netcat on the server side to temporarily listen on that tcp port. (A status of 'open' would mean your rule worked properly.)

  6. #6
    Just Joined!
    Join Date
    Oct 2007
    Posts
    14

    more questions about iptables Firewall and open ports

    Okay, I think I think my understanding of this has expanded a bit. However, I am still stuck. I have an application that is supposed to run on port 9090. I install the RPM and everything looks fine. When I try to access it, it says I can't connect. I have an iptables script that allows me to enter rules and update when I need to. I had entered a rule that opened port 9090. However, I can't connect at that port. So, I flush all rules. I still can't connect. However, when I run nmap or netstat, even specifically on that port, it shows it as closed.

    I would like to narrow this down to a firewall/access or application issue.

    Any ideas about how to proceed to figure this out?

    Thanks.

  7. #7
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Flushing the filtering rules alone may not do the trick if you have any POLICY set to anything other than ACCEPT. It would be best to shut down the iptables service (how to do this depends on your distro) in order to eliminate the firewall as the problem.

    When you run netstat -tln (which shows listening tcp connections) on the server, you should see something listening on an appropriate interface on tcp port 9090. If you don't, you have an application-level issue to sort out.

  8. #8
    Just Joined!
    Join Date
    Oct 2007
    Posts
    14
    Quote Originally Posted by anomie View Post
    Flushing the filtering rules alone may not do the trick if you have any POLICY set to anything other than ACCEPT. It would be best to shut down the iptables service (how to do this depends on your distro) in order to eliminate the firewall as the problem.

    When you run netstat -tln (which shows listening tcp connections) on the server, you should see something listening on an appropriate interface on tcp port 9090. If you don't, you have an application-level issue to sort out.
    Well, so far I haven't been able to get this application to talk on port 9090. Iptables is allowing the port, but nmap and netstat don't give me an indication that it is open. So, I issued a telnet to the ip on port 9090 and can't connect. I am pretty much stumped on this one. It almost seems like the firewall rules are not behaving well, especially if I flush rules and close the iptables service. Any other ideas about what to try?

  9. #9
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,755
    When you run netstat -tln (which shows listening tcp connections) on the server, you should see something listening on an appropriate interface on tcp port 9090. If you don't, you have an application-level issue to sort out.
    As Anomie has already said, if your application is running and netstat -anp | grep 9090 doesn't show "LISTENING" then your application has not opened this port. This is completely independent of the firewall.

    If the application isn't listening, the port is closed, no matter if the firewall is blocking or not.

    Find another application or use something built in like SSH on port 22.

    To correctly "turn off" iptables for the local machine, use:

    Code:
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •