I've had a quick search around (about 30 minutes) and tried a few bits, but nothing seems to work. Also please note I'm no Linux expert (I can do most basic stuff, simple installs, configurations etc) so some of the config I have may be obviously wrong, but I just don't see it! (feel free to correct any of the configs below)
The Setup
I have a running instance of PostgreSQL 9.3 on a Red Hat Enterprise Linux Server release 7.1 (Maipo) box. It's also running SELinux and IPTables.
IPTables config (added in 80, 443 and 5432.. and also 22, but that was done before...)
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
PostgreSQL pg_hba.cong (deleted all comments)
# TYPE DATABASE USER ADDRESS METHOD
local all all ident
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
host all all 0.0.0.0/0 md5
postgresql.conf (only changed the listen address)
listen_addresses = '*'
Setup new users
$ sudo -u postgres /usr/pgsql-9.3/bin/createuser -s "pgadmin"
$ sudo -u postgres /usr/pgsql-9.3/bin/createuser "webuser"
$ sudo -u postgres psql
postgres=# ALTER ROLE "pgadmin" WITH PASSWORD 'weakpassword';
ALTER ROLE
postgres=# ALTER ROLE "webuser" WITH PASSWORD 'anotherweakpassword';
ALTER ROLE
postgres=# \q
Test connection
psql -U [pgadmin|webuser] -h [localhost|127.0.0.1|hostname] -W postgres
Password for user [pgadmin|webuser]: [weakpassword|anotherweakpassword]
psql (9.3.7)
Type "help" for help.
postgres=# \q
As you can see I tested 127.0.0.1, localhost and the hostname on the command line to make sure I could connect use all three identifiers with both different accounts.
I've also connected using PgAdmin from my windows box, and it connects using the hostname and ip address using both users.
The problem...
The problem comes when I try to connect from PHP via Apache (it doesn't happen if I run the same script on the command line)
PHP Test Script
<?php
error_reporting( E_ALL );
ini_set('display_errors', '1');
$conn1 = pg_connect("host='localhost' port='5432' user='pgadmin' password='weakpassword' dbname='postgres'");
$conn2 = pg_connect("host='127.0.0.1' port='5432' user='pgadmin' password='weakpassword' dbname='postgres'");
$conn3 = pg_connect("host='localhost' port='5432' user='webuser' password='anotherweakpassword' dbname='postgres'");
$conn4 = pg_connect("host='127.0.0.1' port='5432' user='webuser' password='anotherweakpassword' dbname='postgres'");
$status1 = pg_connection_status( $conn1 );
$status2 = pg_connection_status( $conn2 );
$status3 = pg_connection_status( $conn3 );
$status4 = pg_connection_status( $conn4 );
# Check connection
if (
$status1 === false || $status1 === PGSQL_CONNECTION_BAD ||
$status2 === false || $status2 === PGSQL_CONNECTION_BAD ||
$status3 === false || $status3 === PGSQL_CONNECTION_BAD ||
$status4 === false || $status4 === PGSQL_CONNECTION_BAD
)
{
throw new Exception("I'm broken");
}
# Do a query
$res1 = pg_query( $conn1, "SELECT * FROM pg_type LIMIT 1" );
$res2 = pg_query( $conn2, "SELECT * FROM pg_type LIMIT 1" );
$res3 = pg_query( $conn3, "SELECT * FROM pg_type LIMIT 1" );
$res4 = pg_query( $conn4, "SELECT * FROM pg_type LIMIT 1" );
# Test one result.
$row1 = pg_fetch_row($res1);
$row2 = pg_fetch_row($res2);
$row3 = pg_fetch_row($res3);
$row4 = pg_fetch_row($res4);
echo $row1[0] . "\n";
echo $row2[0] . "\n";
echo $row3[0] . "\n";
echo $row4[0] . "\n";
On the command line I get the following output (as expected)
bool
bool
bool
bool
But in the browser I get the following
Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running on host "localhost" (::1) and accepting TCP/IP connections on port 5432? could not connect to server: Permission denied Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? in /var/www/html/test.php on line 6
Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432? in /var/www/html/test.php on line 7
Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running on host "localhost" (::1) and accepting TCP/IP connections on port 5432? could not connect to server: Permission denied Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? in /var/www/html/test.php on line 8
Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432? in /var/www/html/test.php on line 9
Fatal error: Uncaught exception 'Exception' with message 'I'm broken' in /var/www/html/test.php:25 Stack trace: #0 {main} thrown in /var/www/html/test.php on line 25
I've got a feeling it's something to do with IPTables not allowing the connect when coming through Apache for some reason, but I'm stumped (I bet it's stupidly simple)
I think that covers everything...
Help me Stack Overflow, you're my only hope!
OK... Answered... Was a problem with SELinux. Needed to run the following....
setsebool -P httpd_can_network_connect_db on
Also if you need to check if SELinux is causing issues it can be turned off with the following
setenforce 0
Then once finished
setenforce 1
Anyways, done... onwards!
Related
After a fresh install of RabbitMQ server on CentOs 7.7
I can reach the :15672 port from localhost
curl -i http://localhost:15672
HTTP/1.1 200 OK
But i cant reach the web interface from external ips
curl -i http://serverRemoteIp:15672
curl: (7) Failed connect to serverRemoteIp:15672; Connection timed out
the server is remote, so i need access from remote ips
any idea?
First, yesterday I exec this on my server
sudo iptables -A INPUT -p tcp -m tcp --dport 15672 -j ACCEPT
and the problem continue. Yoday I run:
iptables -I INPUT 1 -p tcp --dport 15672 -j ACCEPT
service iptables save
service iptables restart
and works!!
I'm trying to (remotely) connect to the E3372's (Huawei LTE stick) WebInterface...
The E3372 is recognised by my RaspberryPi as "12d1:14dc Huawei Technologies Co., Ltd." - so it seems to be in HiLink-mode. Good.
using
> ifconfig
I see that the stick uses eth1 / 192.126.8.100
and the WebInterface's web-server is supposed to run on 192.168.8.1...
To verify this, on the Pi (from PC using ssh to eth0 with a DHCP-assigned IP-address of 192.168.10.123) I can e.g. query (read) the starting-page of the E3372's WebInterface using:
> curl 192.168.8.1/html/home.html
...so obviously the web-server is up-and-running!
Now I try to forward connections on eth0's port=80 (192.168.10.123:80) to 192.168.8.1:80, so I can then access the WebInterface from an external PC connected to the Pi's eth0; so I:
1) enable ip4-port-forwarding:
> sudo nano /proc/sys/net/ipv4/ip_forward
--> and change the '0' to '1'
2) use iptables to set the appropriate forwarding:
> sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.8.1:80
> sudo iptables -A FORWARD -p tcp -d 192.168.8.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Now using a browser on the PC with the URL "http://192.168.10.123" yields (after some seconds): "This site can’t be reached"...
please help! what's wrong here???
Thanks for helping!
I'm wondering if I could forward SQL queries from localhost to another local IP address?
I don't want to install SQL Server on Linux, but I need to connect to it on another PC through localhost.
Thanks
You can use iptables:
iptables -A FORWARD -p tcp -i eth0 -s localhost -d x.x.x.x --dport 3306 -j ACCEPT
where x.x.x.x is the mysql server ip address, and eth0 is the interface you use.
It seems like you are asking if you are on a Linux machine you want to query to localhost and have that query forwarded to a SQL Server. In this case the above answer is partially correct and will allow packets to be forwarded but doesn't actually perform the forward/redirect. You also say "SQL Server" which I take to mean MS SQL Server. The default port in this case is listed as 1433. You would actually need (2) rules:
# iptables -t nat -A PREROUTING -p tcp -i lo -d localhost --dport 1433 -j DNAT --to-destination x.x.x.x # where x.x.x.x is the SQL Server IP address
# iptables -A FORWARD -i lo -p tcp --dport -j ACCEPT # only if your default FORWARD policy is DROP. Otherwise you just need the prerouting rule.
I'm running Redis on my webserver (Debian/Nginx/Gunicorn) for session storage and have reasons to believe my Redis server is being hacked. It's definitely possible because if I run the command "redis-cli -h (HOST IP)" on a different machine against the web server, I can get into the console and run commands. I have two questions. First, if I add a new section to my iptables files as shown below, will I be correctly blocking access to my Redis server from all machines except the webserver itself? Redis is running on the default port 6379.
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# Allow pings, SSH, and web access
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# NEW SECTION...
# IS THIS CORRECT?
-A INPUT -p tcp --dport 6379 -j DROP
-A INPUT -p tcp -s 127.0.0.1 --dport 6379 -m state --state NEW -j ACCEPT
# END NEW SECTION
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Second, if the above is correct, can I still use 127.0.0.1 in the IPv6 version of my iptables or do I need to use "::1"?
Thanks.
You should be able to do this through the Redis configuration file:
# By default Redis listens for connections from all the network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the "bind" configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1
modify redis.conf file :
bind 127.0.0.1 ==>
redis instanse will accept connections only from localhost
bind 127.0.0.1 xxx.xx.xx.xxx ==>
if you want to accept connections from out server add ip of the server
#bind 127.0.0.1 ==> comment this line will make redis listens from any network interface
I need some custom iptables for a login page of my wifi hotspot on my raspberry pi. I want an http login page: this is how it should work, I just don't know how to configure the iptables.:
Any connections on an ip address that is not already logged in, should be redirected to the pi's port 8181 (the server for my login page).
Any connections on an ip address that is logged in should be allowed to access the outside internet.
Any connections initially requesting the pi's port 8181 should be allowed.
How should I set this up with iptables?
Thanks!
I've found the following article very helpful when learning iptables:
http://wiki.centos.org/HowTos/Network/IPTables
Basically you can start with a something similar to:
# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
This will block pretty much everything other than SSH, outgoing connections, and connections that are previously established (ie from previous outgoing connections)
Once that is in place you need to do the redirection:
http://proghowto.com/iptables-redirect-port-80-to-port-8080
And finally you need to run something like the following for each ip that gets authenticated:
# iptables -A INPUT -s 192.168.0.4 -j ACCEPT