Iptables on centos 7 rejects SSH and WHM connection - ssh

I installed centos 7 and cPanel; disabled/masked firewalld and installed and enabled iptables. As soon as I enabled iptables, I disconnected from WHM and SSH. When I disable iptables in rescue mode, I can connect to server via SSH and WHM.
I checked the rules in /etc/sysconfig/iptables, but there is no any rule that rejects access to SSH or WHM ports.
My next step was to install CSF.
Any idea how to fix it?

The quick solution to get rid of the issue is flushing all the Iptables rules with the command
iptables -F
However since you want to keep the Iptables running you will have to configure it to open the required ports with the command
iptables -A INPUT -p tcp --dport 22 -j ACCEPT --- 22 is for SSH , same way you will have to open other ports.

Related

How to configure ssh to listen to private network IP address?

I have a system with centOS 7 installed. And on the second system I have windows 10. Both the machines are connected to private network. Now, I want to access the centOS machine remotely over ssh.
I checked the IP address of my windows machine, and then I edited the
/etc/ssh/sshd_config
file on the centOS system, With the following entries
ListenAddress <Ip_address_of_window_machine>
But when I restart the ssh service using the following command
systemctl restart sshd.service
I get the following error
bind to port 22 on <ip-address> failed. cannot assign requested address
But when I configure entries like this
ListenAddress 0.0.0.0
ListenAddress [::]
it works fine. But I want to bound my ssh to just particular iP-address
The ListenAddress configuration options tells sshd process to bind to a specific network interface on the server. If you want restrict access to a CentOS host then you need to use firewall. Though firewalld is the proper way to go (with zones and so on), old good iptables will do the job:
sudo iptables -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j REJECT
Where a.b.c.d is the ip address of windows hosts.
NOTICE: By configuring firewall over the networks you can easily lock yourself out!

Migrating from iptables to firewalld settings with ansible in CentOS 7

I'm setting up a new Redis cluster on my webservers, and currently I was adding some chain rules with the iptables settings, but now I'm switching to automatically deploying through ansible.
My iptables looks like this:
1 iptables -N REDIS
2 iptables -A REDIS -s 10.0.1.11 -j ACCEPT ## Master server
3 iptables -A REDIS -s 10.0.1.10 -j ACCEPT ## Slave 01/03
4 iptables -A REDIS -j LOG --log-prefix "unauth-redis-access"
5 iptables -A REDIS -j REJECT --reject-with icmp-port-unreachable
6 iptables -I INPUT -p tcp --dport 6379 -j REDIS
In this way, I have to manually add the rule #3 to each slave server (currently there are only 3 slave servers, but it's going to be way more at some point, thus, I'm planning on automatically deploying it through ansible).
And the ansible config that I've set looks like this:
- name: Redis service
tags: ['redis']
firewalld:
service=redis
zone=internal
state=enabled
permanent=yes
- name: Redis connections
tags: ['redis']
firewalld:
source=10.0.1.0/24
port=6379/tcp
zone=internal
state=enabled
permanent=yes
notify: restart redis
I'm using my webservers' subnet as source, or should I list each webserver's ip as source?
Although when I deploy the ansible configuration, it doesn't work at all. Using iptables works just fine, but I have to switch it to firewalld due dev-env issues mentioned above.
Any ideas?
try adding immediate=yes or add a service-handler to reload firewalld.
using firewalld with permanent=yes only changes the configuration files, it doesn't install the iptables-rules

SSH reverse tunnel not working for webserver

I have a webapp running on a Raspberry Pi, which is behind a NAT, and I'm trying to make a tunnel to the company's server so that I can access it from the web. Right now I've been able to establish a tunnel using ssh -fN -R 192.168.0.28:54321:localhost:443 username#192.168.0.28 (both the server and the RPi are in the same LAN at the time), and doing curl -k https://192.168.0.28:54321 returns the contents of the webpage hosted in the RPi, but only if I do it from the server. I have set GatewayPorts yes and AllowTcpForwarding yes (which anyway is the default).
It was the firewall on the server blocking the port. ¬¬
To open said port, the command is sudo iptables -I INPUT -p tcp --dport 54321 -j ACCEPT, which says that any connection comming to the TCP port 54321 must be accepted.

Configuring IP Tables

I want to make sure that the only network traffic on my linux CentOS server is my own.
All my server runs is a Tomcat instance with one servlet. This servlet takes a parameter, which is a URL to download. It will download from that url, and pass the contents back to the calling program through the usual http response.
I want to block all network traffic to this server except
1) Ability to ssh
2) Ability to download from host abc.xyz.com
3) Ability for server with IP 111.222.333.444 to download from me
Can someone please tell me the commands to do this in iptables? I tried finding this out myself but I was a bit out my depth with the lingo.
thanks
Configuring a firewall is simple, first of all select what ports you want to be open.
For example Webserver ports:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
For example SSH port:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
In any way your server is able to download files from other server/hosts.
3) Ability for server with IP 111.222.333.444 to download from me
I suppose that must be port 80, (or any port where the server is downloading from) if your uploading files to your website.
After these steps you need to look if the firewall is configured right:
iptables -L -n
If it's looking good then you're able to save your iptables, and restart the service.
If there is any problem configureren your firewall, please let me know.

Open port 5900 via the command line?

I am running Fedora 18 with KDE. I opened port 5900 via the GUI yesterday and was using VNC just fine, but then tried to open the port for SMTP via a couple of different methods and now the VNC connection is "closing unexpectedly."
That's a vague error but I'm thinking it is a firewall issue. The problem is that I don't have any graphical way to access the firewall now, just via ssh. I tried adding an IPTABLES line, iptables -A INPUT -p tcp --dport 5900 -j ACCEPT, but that didn't seem to make a difference and when I tried iptables --List there was nothing that appeared to be about port 5900. Did I do the iptables line wrong? Should it be OUTPUT instead of INPUT? -I instead of -A? udp instead of tcp?
I would also like to know why "iptables --List" did not seem to have anything about port 5900 in it. Is it possible that Fedora 18 no longer uses iptables?
Anyone have suggestions? It's been hours since I've had no GUI access and I'm getting desperate... :-)
/sbin/service iptables restart
was the missing ingredient to this puzzle. For some reason /sbin/service firewall restart did not work...
Did you save the iptable before you restarted it with
/sbin/service iptables save