Let me start off by saying that I'm a Centos newby, so all info, links and suggestions are very welcome!
I recently set up a hosted server with Centos 6 and configured it as a webserver. The websites running on it are nothing special, just some low traffic projects. I tried to configure the server as default as possible, but I like it to be secure as well (no ftp, custom ssh port).
Getting my WordPress to run as desired, I'm running into some connection problems. 2 things are not working:
- installing plugins and updates through ssh2 (failed to connect to
localhost:sshportnumber) - sending emails from my site using the Gmail
smtp (Failed to connect to server: Permission denied (13))
I have the feeling that these are both related to the iptables configuration, because I've tried everything else (I think). I tried opening up the firewall to accept traffic for ports 465 (gmail smtp) and ssh port (lets say this port is 8000), but both the issues remain. Ssh connections from the terminal are working fine though. After each change I tried implementing I restarted the iptables service.
This is my iptables configuration (using vim):
# Generated by iptables-save v1.4.7 on Sun Jun 1 13:20:20 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
COMMIT
# Completed on Sun Jun 1 13:20:20 2014
Are there any (obvious) issues with my iptables setup considering the above mentioned issues? Saying that the firewall is doing exactly nothing in this state is also an answer…
And again, if you have any other suggestions for me to increase security (considering the basic things I do with this box), I would love hear it, also the obvious ones!
Thanks!
Best Answer
I've noticed that your default policy for the OUTPUT chain is ACCEPT. As such, in the absence of any DROP or REJECT rule at the bottom of the OUTPUT chain, your wordpress iptables rules allow all traffic to egress on any port.
So to clarify..in your above configuration, all traffic is allowed through the OUTPUT chain.
Check for selinux AVC denials in /var/log/audit/audit.log as permission denied might indicate that httpd cannot connect to the SMTP network port to send email.
In any case, you should also check /var/log/maillog to see if you're being denied permission there, and of course ensure that postfix/sendmail are actually running and available locally.
In the case of you not being able to install plugins, etc. This will almost certainly be a wordpress file permissions issue, which you can look into in the link below.
Hope this helps, while I appreciate your question is somewhat old, it does register highly in google for the subject, so perhaps this might help someone else.