TurnKey Linux Virtual Appliance Library

Ports closed even after allowing in Linux firewall tables

I have a turnkey install through AWS with Ubuntu 10.4 using webmin version 1.580.

I wanted to open up ports 110 and 25 to route email and so i edited the ip tables in the linux firewall module and then tested the ports to make sure they are open. So when i tested them through a port scan they showed they were still closed. So then I thought well maybe I had to open the ports up in the Amazon control panel for the instance and open up the ports in the security group for the instance. So i had the following setup

110 (POP3)              0.0.0.0/0

 

In the iptables i had this setup

 

-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

 

So when I did a port scan again it still showed the port as closed.

So now i'm confused on why it keeps showing the port as closed even tho its open in AWS and on the linux firewall.

 

Did I miss something somewhere?

 

Thanks!

Same Problem

I have the same problem. Can we get some help on this, please?

Jeremy's picture

Linux firewall (IPTables) disabled by default

So the only thing getting in your way is AWS (unless of course you enabled IPTables). I don't know anything about AWS security settings (or IPTables for that matter) but I would assume that they would be configurable from the AWS console. Perhaps you have inadvertantly blocked ports with IPTables (instead of allowing)? Perhaps it'd pay to disable IPTables again (at least until you have the AWS security settings working as expected).

WEBMIN Port

I'm currently working with the django appliance.

In all the appliences you get WEBMIN on port 12321 as I recall. Looking in the linux firewall setup that getto from WEBMIN itself, you have that port (among other enabled).

I take what you said to mean that when you create a new server that you are not actually specifying anything in the AWS fire wall. Meaning hat all servers get the default AWS firewall settings and all you do to make WEBMIN available is open its port the linux firewall. Is that correct?

I'm only trying to enable port 8080. I made an entry in just the the entry for port 80. But for some reason port 8080 is not available. I was about to start messing the AWS firewall when I found this thread.

So let me put the question another way. If you want a new port to be opened on some new VM, what do you do?

Jeremy's picture

No unless you enable IPTables you don't need to touch them

To use IPTables you need to enable them (down the bottom of the Webmin page where you adjust the settings - and you are right about the port). If  you want to enable them too, that's fine, but I'd wait until you have the server working as you want first.

AFAIK the TKL appliances launched via the Hub have an AWS security profile applied. I'm not sure if it is a generic TKL one or if there is a separate one for each appliance. I've never adjusted it, but I'm fairly sure it should be able to be adjusted via the AWS console (although I have no idea how).

Alon Swartz's picture

Each appliance has its own customized firewall rules

When launching new servers via the Hub, it will create a security group (ie. firewall rules) on AWS automatically. Each appliance has its own customized firewall rules, which are based on the settings that are included in the appliances iptables profile.

You can tweak the aws firewall settings from within the Hub. In the server record on the Hub, you'll see "Firewall rules: turnkey-APP-...". Just click that link and you'll be able to add and delete rules in a simple interface.

Does The Linux Firewall Mean Anything

Found the AWS rules and edited them. 

So does the Linux firewall actually do anything? Does its rules need to match the AWS rules?

Jeremy's picture

It is configured, but disabled

So unless you enable it it doesn't do anything. When running in AWS it is probably unrequired although if you want to add an additional layer of security you can always enable it and if you do, then you'll want to have them set the same.

It Appears That Opening A Port Doesn't Work

I'm just now to where I really need a port opened up. I did infact open port 5060 within the hub as shown below. But a port scan of that port fails. 

I'm guessing the interface in the hub isn't being recogonized by AWS. Or did I do something wrong? How can we check?

BTW - Here's a port scanner: http://www.t1shopper.com/tools/port-scan/

This is important because I need to be able to connect to port 5060 via a softphone. Until that works, I have to make real calls which costs $.

 

 

  • Custom
  • TCP
  • 5060
  • 0.0.0.0/0
  • Custom
  • UDP
  • 5060
  • 0.0.0.0/0

 

Firewall Rules Work For Web shell

As a test, I removed the Web shell entry and that did infact disable it. And then I added the entry back in and Web shell was again reachable. I also did a port scan test (http://www.t1shopper.com/tools/port-scan) and got the expected results.

So can't I can't I get to port 5060?

Jeremy's picture

Have you confirmed that your app is listening?

Probably a good idea to check that your app is listening on the desired port (netstat is useful for that) otherwise the port won't be open AFAIK.

Listening on Private IP

netstat -a shows that the server is listenting on the right ports. But's it's looking at the private ip instead of the public ip. Based on (https://forums.aws.amazon.com/thread.jspa?threadID=92923), I don't think that should matter. But could it?

 

tcp        0      0 ip-10-166-221-92.u:5080 *:*                     LISTEN     
tcp        0      0 ip-10-166-221-92.us:sip *:*                     LISTEN     
. . .
udp        0      0 ip-10-166-221-92.us:sip *:*                                
udp        0      0 ip-10-166-221-92.u:5080 *:*
Jeremy's picture

I don't think it should matter

But I'm not completely sure.

One thing that does strike me though is that it's listening on port 5080 and previously you have been discussing port 5060.

I noticed you have to enable

I noticed you have to enable the ports on the Amzon side of things as well.  There's essentially TWO firewalls in front of anything in TKL:  TKL iptables rules, and the Amazon rules for EC2.  You should have a security group linked to your server, and you need to add the ports you want opened up through the EC2 front-end.  

 

HTH...

 

Bruce

Jeremy's picture

IPTables are disabled by default

Although they are configured for the default appliances. Unless you enable the IPTables/Firewall then you don't need to do anything with them. You do need to allow them in AWS though.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)