PDA

View Full Version : IPtables yum allow rule


unclecameron
30th January 2008, 02:05
I'm using an iptables ruleset

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -j REJECT
-A OUTPUT -o lo -j ACCEPT


which blocks yum, what port is yum using, and why does the last INPUT rule block it?

topdog
30th January 2008, 07:13
Outbound yum connections operate on port 80 or port 21/20 depending on if the repo is http or ftp.

The reason why your yum is not working it that you are not allowing replies from the yum server to come back to you.

You need to add this to your ruleset

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

unclecameron
31st January 2008, 03:07
But if they come back in on Port 80, my rule would've allowed that. Is Yum setup default to use port 80 or 20/21? BTW, your suggestion works, so thanks!

topdog
31st January 2008, 07:10
But if they come back in on Port 80, my rule would've allowed that. Is Yum setup default to use port 80 or 20/21? BTW, your suggestion works, so thanks!
No your rule would not allow that your rule in the INPUT chain allows connections that are coming to a web server on that box.

When you connect to a yum server out side your outbound packets are going out over the OUTPUT chain with a --dport 80 and a high --sport which is a random port selected by the OS

Connections coming back from the outside yum server will have --sport 80 and --dport the high port that was selected when the outbound connection was initiated.

If you allow anything with --sport 80 into your machine that is a problem because i can then initiate my connections from port 80 and get to you. This is the reason we choose to use ESTABLISHED,RELATED this uses the kernels connection tracking to make sure that the connection is a reply to a packet that was sent by your machine not a new connection coming in.

gmo.rackz
22nd August 2013, 20:33
in order to find out what protocol does yum uses check the repo.conf and locate the "baseurl" parameter which would indicate if you are using ftp:(20,21) or http (80) and base your rules on the setting of that parameter.