iptables issue centos 6 - is my port open? - iptables

I've entered some rules into IPtables on CentOS 6. But when I run 'service iptables status' I get a different result than when I go 'iptables -L'.
I need to open up port 1270 on this machine.
This is what I see when I go 'service iptables status'
[root#server01 sysconfig]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 /* 000 reject all icmp requests */ reject-with icmp-port-unreachable
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 001 accept all to lo interface */
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 002 accept related established rules */ state RELATED,ESTABLISHED
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 22 /* 100 allow ssh access */
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 443,8443 /* 110 allow https access */
6 ACCEPT tcp -- 10.1.190.65 0.0.0.0/0 tcp dpt:1556
7 ACCEPT tcp -- 10.1.190.65 0.0.0.0/0 tcp dpt:13782
8 ACCEPT tcp -- 10.1.190.65 0.0.0.0/0 tcp dpt:13724
9 ACCEPT tcp -- 10.48.131.220 0.0.0.0/0 tcp dpt:1556
10 ACCEPT tcp -- 10.48.131.220 0.0.0.0/0 tcp dpt:13782
11 ACCEPT tcp -- 10.48.131.220 0.0.0.0/0 tcp dpt:13724
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5222
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5269
16 ACCEPT tcp -- 10.36.16.25 0.0.0.0/0 tcp dpt:1270
17 ACCEPT tcp -- 10.36.16.26 0.0.0.0/0 tcp dpt:1270
18 ACCEPT tcp -- 10.36.16.37 0.0.0.0/0 tcp dpt:1270
19 ACCEPT tcp -- 10.36.16.31 0.0.0.0/0 tcp dpt:1270
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
And this is what I see when I go iptables -L
[root#server01 sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT icmp -- anywhere anywhere /* 000 reject all icmp requests */ reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere /* 001 accept all to lo interface */
ACCEPT all -- anywhere anywhere /* 002 accept related established rules */ state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport ports ssh /* 100 allow ssh access */
ACCEPT tcp -- anywhere anywhere multiport ports https,pcsync-https /* 110 allow https access */
ACCEPT tcp -- 10.1.190.65 anywhere tcp dpt:veritas_pbx
ACCEPT tcp -- 10.1.190.65 anywhere tcp dpt:bpcd
ACCEPT tcp -- 10.1.190.65 anywhere tcp dpt:vnetd
ACCEPT tcp -- uawscdap0000.us.companyworld.company.com anywhere tcp dpt:veritas_pbx
ACCEPT tcp -- uawscdap0000.us.companyworld.company.com anywhere tcp dpt:bpcd
ACCEPT tcp -- uawscdap0000.us.companyworld.company.com anywhere tcp dpt:vnetd
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xmpp-server
ACCEPT tcp -- abckpap6181.us.companyworld.company.com anywhere tcp dpt:opsmgr
ACCEPT tcp -- abckpap6182.us.companyworld.company.com anywhere tcp dpt:opsmgr
ACCEPT tcp -- abcepap6782.us.companyworld.company.com anywhere tcp dpt:opsmgr
ACCEPT tcp -- abcepap6783.us.companyworld.company.com anywhere tcp dpt:opsmgr
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So, is port 120 open on this machine or not? Why am I see a difference between the two commands?


Port 1270 is open as you can see bellow:
16 ACCEPT tcp -- 10.36.16.25 0.0.0.0/0 tcp dpt:1270
17 ACCEPT tcp -- 10.36.16.26 0.0.0.0/0 tcp dpt:1270
18 ACCEPT tcp -- 10.36.16.37 0.0.0.0/0 tcp dpt:1270
19 ACCEPT tcp -- 10.36.16.31 0.0.0.0/0 tcp dpt:1270
but it's limited to those 4 ip addresses.
The output is different since service iptables status shows the iptables output using numeric format for ip addresses and ports while using iptables -L doesn't do that. If you want to get a similar ouput try iptables -nL
I would also issue a netstat -tunlp | grep 1270 just to be sure that there is some service/program/app actually listening to that port

Related

ssh from guest to kvm host

I have a kvm server where the guest vm's get internet acces due to a bridge. I would like to access the host from a guest vm by ssh but get a "port 22: Connection refused", altough i can ping the host on all ip's.
brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.52540097d680 yes virbr0-nic
vnet0
vnet1
vnet2
All traffic for the bridge is been forwarded with POSTROUTING in uptables on the host.
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
How can i set up a ssh connection from the guest to the host?
Edit:
Chain INPUT (policy DROP)
ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
Should accept all
Edit2:
iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x2B
Badflags tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
Firewall icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137
Rejectwall all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain Badflags (11 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix "Badflags: "
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain Firewall (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain Rejectwall (1 references)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

when testing apache if running, no response from site

I'm trying to install LAMP.
I followed the instructions here.
I'm stuck at installing apache/httpd
I've installed apache/httpd in a ssh server. When trying to check if apache is okay, which is opening a web browser and input the ip address, it would show that "This site cannot be reached".
What suppose could be the problem?
here is the local firewall config
Chain INPUT (policy DROP 142 packets, 7398 bytes)
pkts bytes target prot opt in out source destination
2492 218K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
34 2040 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2202
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2364 packets, 225K bytes)
pkts bytes target prot opt in out source destination

port 80 is open but Iptables prevents Apache connections

I've been having trouble connecting via a web browser to server that runs Apache. I've discovered that by stopping the iptables service, I can then connect to and load a web page from the server. However, i don't understand what I'm missing in my iptbales rules, as I've already opended up port 80.
Can anyone see anything here that could be causing any issues?
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
-A FORWARD_IN_ZONES -i eno1 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o eno1 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i eno1 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
EDIT***
Here is the output of iptables -nvL as requested by Bogdan Stoica:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 396 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
22 1520 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
16 2177 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
16 2177 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
16 2177 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
16 2177 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 21 packets, 3720 bytes)
pkts bytes target prot opt in out source destination
21 3720 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- eno1 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * eno1 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
16 2177 IN_public all -- eno1 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
16 2177 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
16 2177 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
16 2177 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination

I can't really follow because you have so many chains (and I do not know for sure what each chain is supposed to but... In can guess though but my guessing might be wrong). As a basic rule you should have:
1) the default policy is DROP and then you allow strictly what you need
2) try updating your allow rules as follows:
iptables -A IN_public_allow -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A IN_public_allow -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
It looks like a misconfiguration:
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
Basically you do not define a policy for those chains. I would reconfigure the firewall entirely. You have to put everyting on paper from the start, what chains do you need, why you need them, what policies each chain is supposed to have an so on. Then you can create rules and add them to their specific chains

Opening ssh access to virtual machine using iptables

I wrote the follwing iptables rules. but there is one problem. I can't ssh to my vmware machine. how can I handle it?
#!/bin/bash
ip=`hostname -I| awk '{print $1}'`
LOOP=127.0.0.1
if=eth0
# Clear any previous rules.
iptables -F
# Default drop policy.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr
iptables -A INPUT -i $if -s $LOOP -j DROP
iptables -A FORWARD -i $if -s $LOOP -j DROP
iptables -A INPUT -i $if -d $LOOP -j DROP
iptables -A FORWARD -i $if -d $LOOP -j DROP
# Drop any tcp packet that does not start a connection with a syn flag.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -m comment --comment "Dropping any tcp packet that doesn't start a connection with a syn flag!"
# Drop any invalid packet that could not be identified.
iptables -A INPUT -m state --state INVALID -j DROP
# Drop invalid packets.
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
#Allow working on localhost
iptables -A INPUT -i lo -s $LOOP -d $LOOP -j ACCEPT
iptables -A OUTPUT -o lo -s $LOOP -d $LOOP -j ACCEPT
#Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#Openning outgoing trafic
iptables -A OUTPUT -o $if -s $ip -j ACCEPT
iptables -A INPUT -i $if -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $if -s x.x.x.x -j ACCEPT #The ip of my local virtual machine
iptables -A OUTPUT -o $if -m state --state ESTABLISHED,RELATED -j DROP
Also result of:
$ sudo iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW /* Dropping any tcp packet that doesn't start a connection with a syn flag! */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
14 3687 ACCEPT all -- lo * 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
808 280K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * x.x.x.x 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
Chain OUTPUT (policy DROP 7 packets, 420 bytes)
pkts bytes target prot opt in out source destination
14 3687 ACCEPT all -- * lo 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
1087 167K ACCEPT all -- * eth0 y.y.y.y 0.0.0.0/0
0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
update
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
9 3427 ACCEPT all -- lo * 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
751 418K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * x.x.x.x 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
Chain OUTPUT (policy DROP 7 packets, 420 bytes)
pkts bytes target prot opt in out source destination
9 3427 ACCEPT all -- * lo 127.0.0.1 127.0.0.1
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
795 152K ACCEPT all -- * eth0 y.y.y.y 0.0.0.0/0

Open incoming connections to port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
The ESTABLISHED,RELATED rule (which you already have) should sort out the rest.

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Symantec Backup Exec 11d RALUS Communications Error [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I'm trying to do a file system backup of a RedHat Enterprise Linux v4 server using Symantec Backup Exec 11d (Rev 7170). The backup server is Windows Server 2003.
I can browse the target server to create a selection list, and when I do a test run it completes successfully.
However, when I run a real backup, the job fails immediately during the "processing" phase with the error:
e000fe30 - A communications failure has occured.
I've tried opening ports (10000, 1025-9999), etc. But no joy. Any ideas?

Sure sounds like firewall issues. Try stopping iptables, and running again. Also, RALUS can dump a log file - which may give some more to go on.
I use the older UNIX agent myself, which uses port 6101 IIRC - but I believe that the newer client uses tcp/10000 for control and 1024-65535 for transfer.
Last resort is to fire up a network sniffer. ;)

To clarify the answer, the solution was to open up the tcp ports from 1024-65535.
The iptables looked liked this:
[root#MYSERVER ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5801
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5802
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5804
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5901
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5902
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5904
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9099
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1025
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
I executed this command to add the new rule:
[root#MYSERVER ~]# iptables -I RH-Firewall-1-INPUT 14 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
Then they looked like this:
[root#MYSERVER ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5801
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5802
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5804
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1025:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5901
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5902
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5904
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9099
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1025
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Save the iptables when you've verified that it works:
[root#MYSERVER ~]# service iptables save