IPtables yum allow rule

Discussion in 'Server Operation' started by unclecameron, Jan 30, 2008.

  1. unclecameron

    unclecameron New Member

    I'm using an iptables ruleset

    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 -j DROP
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p icmp -j DROP
    -A OUTPUT -o lo -j ACCEPT
    which blocks yum, what port is yum using, and why does the last INPUT rule block it?
  2. topdog

    topdog Active Member

    Outbound yum connections operate on port 80 or port 21/20 depending on if the repo is http or ftp.

    The reason why your yum is not working it that you are not allowing replies from the yum server to come back to you.

    You need to add this to your ruleset
  3. unclecameron

    unclecameron New Member

    But if they come back in on Port 80, my rule would've allowed that. Is Yum setup default to use port 80 or 20/21? BTW, your suggestion works, so thanks!
  4. topdog

    topdog Active Member

    No your rule would not allow that your rule in the INPUT chain allows connections that are coming to a web server on that box.

    When you connect to a yum server out side your outbound packets are going out over the OUTPUT chain with a --dport 80 and a high --sport which is a random port selected by the OS

    Connections coming back from the outside yum server will have --sport 80 and --dport the high port that was selected when the outbound connection was initiated.

    If you allow anything with --sport 80 into your machine that is a problem because i can then initiate my connections from port 80 and get to you. This is the reason we choose to use ESTABLISHED,RELATED this uses the kernels connection tracking to make sure that the connection is a reply to a packet that was sent by your machine not a new connection coming in.
  5. gmo.rackz

    gmo.rackz New Member

    in order to find out what protocol does yum uses check the repo.conf and locate the "baseurl" parameter which would indicate if you are using ftp:(20,21) or http (80) and base your rules on the setting of that parameter.

Share This Page