Re: [CentOS] Inquiry:iptables ?
ken wrote: On 11/02/2009 09:36 AM Rob Kampen wrote: ken wrote: On 10/31/2009 04:10 AM Tony Molloy wrote: On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: Dear All To open a port , I know that I need to go to "System -> Administration -> Security Level and Firewall" -> Other ports and then I can open port-5901 as tcp protocol . Can you please do me favor and let me know how it can be done from the command line (if my CentOS is text-mode installed) ? (perhaps via iptables?) Let me thank you in advance Edit /etc/sysconfig/iptables Restart iptables with service iptables restart Tony My /etc/sysconfig/iptables states at the top that editing of it is not recommended. Yeah, I don't always follow such recommendations myself, but is there perhaps another way more in keeping with the sense of the application? Yeah, editing directly can be risky, nothing worse than making a change only to find that access to your server just disappeared and you need to get in front of it to reset via the console I use webmin for most of my edits, only make it accessible from the LAN and not the WAN. You can always tunnel the :1 port via ssh and access securely from a remote location. The webmin console is left open while I test, thus I have not yet tripped up on this though I can imagine it is not fool proof. HTH Rob Rob, Sounds like you've thought through the process and have a well-planned strategy for failure-prevention. Cool. I checked my port 1 (ssh -p 1 ...) and found it not available ("Connection refused"). So in what sense, or how, can I always tunnel it? tnx. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Ken, I first setup webmin on the server - this listens on port 1 by default (https). Then from a remote location I can ssh servername -L 8081:localhost:1 This will capture local port 8081 and tunnel to the remote server port 1. Then with firefox I enter https://localhost:8081/ and I get the remote server's webmin. HTH Rob <>___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
On Mon, Nov 2, 2009 at 10:57 AM, ken wrote: > On 11/02/2009 09:36 AM Rob Kampen wrote: > > ken wrote: > >> On 10/31/2009 04:10 AM Tony Molloy wrote: > >> > >>> On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: > >>> > Dear All > To open a port , I know that I need to go to "System -> > Administration -> > Security Level and Firewall" -> Other ports and then I can open > port-5901 > as tcp protocol . Can you please do me favor and let me know how it > can be > done from the command line (if my CentOS is text-mode installed) ? > (perhaps > via iptables?) > Let me thank you in advance > > >>> Edit /etc/sysconfig/iptables > >>> > >>> Restart iptables with service iptables restart > >>> > >>> Tony > >>> > >> > >> My /etc/sysconfig/iptables states at the top that editing of it is not > >> recommended. Yeah, I don't always follow such recommendations myself, > >> but is there perhaps another way more in keeping with the sense of the > >> application? > >> > > Yeah, editing directly can be risky, nothing worse than making a change > > only to find that access to your server just disappeared and you need to > > get in front of it to reset via the console > > I use webmin for most of my edits, only make it accessible from the LAN > > and not the WAN. You can always tunnel the :1 port via ssh and > > access securely from a remote location. > > The webmin console is left open while I test, thus I have not yet > > tripped up on this though I can imagine it is not fool proof. > > HTH > > Rob > > Rob, > > Sounds like you've thought through the process and have a well-planned > strategy for failure-prevention. Cool. > > I checked my port 1 (ssh -p 1 ...) and found it not available > ("Connection refused"). So in what sense, or how, can I always tunnel it? > > tnx. > You can use iptables to insert and delete rules in the running instance, and after testing you can save the new set up. The syntax is: iptables -I $TABLE_NAME $POS -s $SRC_IPS -m state --state NEW -p tcp --dport 5901 -j ACCEPT The default TABLE_NAME is "RH-Firewall-1-INPUT" for CentOS You can figure out the POS you want by running iptables -L which dumps the rules on the screen The SRC_IPS are the machine(s) you want to grant access to. If you mess up, you can just restart iptables and you'll be back to where you were. These changes are not permanent. If you're working remotely, you can set up a cron job to restart iptables at some sensible interval so you won't be locked out until you have physical access to the machine. Once you're satisfied the new rules are working right, you can use the iptables script in /etc/init.d to save the new config. And don't forget to get rid of the cron job above. Take a look at iptables-restore and iptables-save, too. Barry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
On 11/02/2009 09:36 AM Rob Kampen wrote: > ken wrote: >> On 10/31/2009 04:10 AM Tony Molloy wrote: >> >>> On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: >>> Dear All To open a port , I know that I need to go to "System -> Administration -> Security Level and Firewall" -> Other ports and then I can open port-5901 as tcp protocol . Can you please do me favor and let me know how it can be done from the command line (if my CentOS is text-mode installed) ? (perhaps via iptables?) Let me thank you in advance >>> Edit /etc/sysconfig/iptables >>> >>> Restart iptables with service iptables restart >>> >>> Tony >>> >> >> My /etc/sysconfig/iptables states at the top that editing of it is not >> recommended. Yeah, I don't always follow such recommendations myself, >> but is there perhaps another way more in keeping with the sense of the >> application? >> > Yeah, editing directly can be risky, nothing worse than making a change > only to find that access to your server just disappeared and you need to > get in front of it to reset via the console > I use webmin for most of my edits, only make it accessible from the LAN > and not the WAN. You can always tunnel the :1 port via ssh and > access securely from a remote location. > The webmin console is left open while I test, thus I have not yet > tripped up on this though I can imagine it is not fool proof. > HTH > Rob Rob, Sounds like you've thought through the process and have a well-planned strategy for failure-prevention. Cool. I checked my port 1 (ssh -p 1 ...) and found it not available ("Connection refused"). So in what sense, or how, can I always tunnel it? tnx. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
ken wrote: On 10/31/2009 04:10 AM Tony Molloy wrote: On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: Dear All To open a port , I know that I need to go to "System -> Administration -> Security Level and Firewall" -> Other ports and then I can open port-5901 as tcp protocol . Can you please do me favor and let me know how it can be done from the command line (if my CentOS is text-mode installed) ? (perhaps via iptables?) Let me thank you in advance Edit /etc/sysconfig/iptables Restart iptables with service iptables restart Tony My /etc/sysconfig/iptables states at the top that editing of it is not recommended. Yeah, I don't always follow such recommendations myself, but is there perhaps another way more in keeping with the sense of the application? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Yeah, editing directly can be risky, nothing worse than making a change only to find that access to your server just disappeared and you need to get in front of it to reset via the console I use webmin for most of my edits, only make it accessible from the LAN and not the WAN. You can always tunnel the :1 port via ssh and access securely from a remote location. The webmin console is left open while I test, thus I have not yet tripped up on this though I can imagine it is not fool proof. HTH Rob <>___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
On 10/31/2009 04:10 AM Tony Molloy wrote: > On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: >> Dear All >> To open a port , I know that I need to go to "System -> Administration -> >> Security Level and Firewall" -> Other ports and then I can open port-5901 >> as tcp protocol . Can you please do me favor and let me know how it can be >> done from the command line (if my CentOS is text-mode installed) ? (perhaps >> via iptables?) >> Let me thank you in advance > > > Edit /etc/sysconfig/iptables > > Restart iptables with service iptables restart > > Tony My /etc/sysconfig/iptables states at the top that editing of it is not recommended. Yeah, I don't always follow such recommendations myself, but is there perhaps another way more in keeping with the sense of the application? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
Am Samstag, den 31.10.2009, 08:48 +0100 schrieb hadi motamedi: > Dear All > To open a port , I know that I need to go to "System -> Administration > -> Security Level and Firewall" -> Other ports and then I can open > port-5901 as tcp protocol . Can you please do me favor and let me know > how it can be done from the command line (if my CentOS is text-mode > installed) ? (perhaps via iptables?) > Let me thank you in advance > system-config-securitylevel-tui -q -p $port:$proto eg for HTTP system-config-securitylevel-tui -q -p 80:tcp financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
hadi motamedi wrote: > Thanks for your message . Please be informed that iptables is being > installed : > #rpm -qa|grep iptables > iptables-1.3.5-1.2.1 > iptables-ipv6-1.3.5-1.2.1 > Please be informed that on the System -> Administration -> Security Level > and Firewall , I can try to add the port but there is no > /etc/sysconfig/iptables on my CentOS server . Can you please let me know > what is wrong my case ? Get out of the gui. Open a shell window. Edit the file in your favorite text editor. mark -- And no, AFAIK, Perl doesn't have spherical trig functions built in, but it has lots of room for masochism. - Andy Peed ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
Thanks for your message . Please be informed that iptables is being installed : #rpm -qa|grep iptables iptables-1.3.5-1.2.1 iptables-ipv6-1.3.5-1.2.1 Please be informed that on the System -> Administration -> Security Level and Firewall , I can try to add the port but there is no /etc/sysconfig/iptables on my CentOS server . Can you please let me know what is wrong my case ? Thank you in advance On Sat, Oct 31, 2009 at 8:34 AM, Tony Molloy wrote: > On Saturday 31 October 2009 08:27:49 hadi motamedi wrote: > > Thank you for your reply . But it is returned "No such file" for > > /etc/sysconfig/iptables . Can you please correct me ? > > Thank you in advance > > > > Is iptables installed > > rpm -qa | grep iptables > > Tony > > On Sat, Oct 31, 2009 at 8:10 AM, Tony Molloy wrote: > > > On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: > > > > Dear All > > > > To open a port , I know that I need to go to "System -> > Administration > > > > -> Security Level and Firewall" -> Other ports and then I can open > > > > port-5901 as tcp protocol . Can you please do me favor and let me > know > > > > how it can > > > > > > be > > > > > > > done from the command line (if my CentOS is text-mode installed) ? > > > > > > (perhaps > > > > > > > via iptables?) > > > > Let me thank you in advance > > > > > > Edit /etc/sysconfig/iptables > > > > > > Restart iptables with service iptables restart > > > > > > Tony > > > -- > > > > > > Dept. of Comp. Sci. > > > University of Limerick. > > > ___ > > > CentOS mailing list > > > CentOS@centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > -- > > Dept. of Comp. Sci. > University of Limerick. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
On Saturday 31 October 2009 08:27:49 hadi motamedi wrote: > Thank you for your reply . But it is returned "No such file" for > /etc/sysconfig/iptables . Can you please correct me ? > Thank you in advance > Is iptables installed rpm -qa | grep iptables Tony > On Sat, Oct 31, 2009 at 8:10 AM, Tony Molloy wrote: > > On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: > > > Dear All > > > To open a port , I know that I need to go to "System -> Administration > > > -> Security Level and Firewall" -> Other ports and then I can open > > > port-5901 as tcp protocol . Can you please do me favor and let me know > > > how it can > > > > be > > > > > done from the command line (if my CentOS is text-mode installed) ? > > > > (perhaps > > > > > via iptables?) > > > Let me thank you in advance > > > > Edit /etc/sysconfig/iptables > > > > Restart iptables with service iptables restart > > > > Tony > > -- > > > > Dept. of Comp. Sci. > > University of Limerick. > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos -- Dept. of Comp. Sci. University of Limerick. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
hadi motamedi wrote: > Thank you for your reply . But it is returned "No such file" for > /etc/sysconfig/iptables . Can you please correct me ? if fthat file doesn't exist, you're probably not running the dfeault centos firewall scripts, you may well have some other firewall script on there, or none at all. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
Thank you for your reply . But it is returned "No such file" for /etc/sysconfig/iptables . Can you please correct me ? Thank you in advance On Sat, Oct 31, 2009 at 8:10 AM, Tony Molloy wrote: > On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: > > Dear All > > To open a port , I know that I need to go to "System -> Administration -> > > Security Level and Firewall" -> Other ports and then I can open port-5901 > > as tcp protocol . Can you please do me favor and let me know how it can > be > > done from the command line (if my CentOS is text-mode installed) ? > (perhaps > > via iptables?) > > Let me thank you in advance > > > Edit /etc/sysconfig/iptables > > Restart iptables with service iptables restart > > Tony > -- > > Dept. of Comp. Sci. > University of Limerick. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
hadi motamedi wrote: > Dear All > To open a port , I know that I need to go to "System -> Administration > -> Security Level and Firewall" -> Other ports and then I can open > port-5901 as tcp protocol . Can you please do me favor and let me know > how it can be done from the command line (if my CentOS is text-mode > installed) ? (perhaps via iptables?) older versions of RHEL had a lokkit text menu based util for setting basic firewall ports. I dunno but it may still be available in current versions. all it actually does is edit that sysconfig/iptables file and restart the iptables service that tony mentions, same as the GUI program does. also, you could make a backup of that file on a GUI system, add a port, then diff the backup and the current iptables file to see exactly what the GUI does ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Inquiry:iptables ?
On Saturday 31 October 2009 07:48:05 hadi motamedi wrote: > Dear All > To open a port , I know that I need to go to "System -> Administration -> > Security Level and Firewall" -> Other ports and then I can open port-5901 > as tcp protocol . Can you please do me favor and let me know how it can be > done from the command line (if my CentOS is text-mode installed) ? (perhaps > via iptables?) > Let me thank you in advance Edit /etc/sysconfig/iptables Restart iptables with service iptables restart Tony -- Dept. of Comp. Sci. University of Limerick. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos