#1  
Old 30th January 2008, 03:05
unclecameron unclecameron is offline
Senior Member
 
Join Date: Apr 2006
Posts: 115
Thanks: 2
Thanked 8 Times in 7 Posts
Default IPtables yum allow rule

I'm using an iptables ruleset

Code:
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -j REJECT
-A OUTPUT -o lo -j ACCEPT
which blocks yum, what port is yum using, and why does the last INPUT rule block it?
Reply With Quote
Sponsored Links
  #2  
Old 30th January 2008, 08:13
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

Outbound yum connections operate on port 80 or port 21/20 depending on if the repo is http or ftp.

The reason why your yum is not working it that you are not allowing replies from the yum server to come back to you.

You need to add this to your ruleset
Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #3  
Old 31st January 2008, 04:07
unclecameron unclecameron is offline
Senior Member
 
Join Date: Apr 2006
Posts: 115
Thanks: 2
Thanked 8 Times in 7 Posts
Default

But if they come back in on Port 80, my rule would've allowed that. Is Yum setup default to use port 80 or 20/21? BTW, your suggestion works, so thanks!
Reply With Quote
  #4  
Old 31st January 2008, 08:10
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

Quote:
Originally Posted by unclecameron
But if they come back in on Port 80, my rule would've allowed that. Is Yum setup default to use port 80 or 20/21? BTW, your suggestion works, so thanks!
No your rule would not allow that your rule in the INPUT chain allows connections that are coming to a web server on that box.

When you connect to a yum server out side your outbound packets are going out over the OUTPUT chain with a --dport 80 and a high --sport which is a random port selected by the OS

Connections coming back from the outside yum server will have --sport 80 and --dport the high port that was selected when the outbound connection was initiated.

If you allow anything with --sport 80 into your machine that is a problem because i can then initiate my connections from port 80 and get to you. This is the reason we choose to use ESTABLISHED,RELATED this uses the kernels connection tracking to make sure that the connection is a reply to a packet that was sent by your machine not a new connection coming in.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #5  
Old 22nd August 2013, 21:33
gmo.rackz gmo.rackz is offline
Junior Member
 
Join Date: Aug 2013
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

in order to find out what protocol does yum uses check the repo.conf and locate the "baseurl" parameter which would indicate if you are using ftp20,21) or http (80) and base your rules on the setting of that parameter.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 13:02
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 19:30
About iptables rules satimis Technical 0 24th August 2007 18:32
Set Up Ubuntu-Server 6.10 As A Firewall/Gateway knowram Installation/Configuration 10 13th June 2007 02:37
The Perfect Xen 3.0 Setup For Debian | IPTABLES rocket30 HOWTO-Related Questions 7 25th July 2006 15:18


All times are GMT +2. The time now is 23:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.