Centos – issues configuring firewall rules for Postgres on Centos

centoscentos7firewallpostgresql

I am attempting to follow this guide to allow remote connections to postgres http://www.cyberciti.biz/tips/postgres-allow-remote-access-tcp-connection.html
At the moment I am running into issues with the firewall.
I have it setup so I have a /tmp/v4 that I can modify and just restore my firewall rules from.
I have tried 2 settings.
The one the guide recommends:

-A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 00.000.000.00  --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 00.000.000.00 --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

When I use this setting and run nc ipofserver 5432 I get Ncat: connection timed out
If I try settings

-I INPUT -p tcp -s 00.000.000.00  --dport 5432 -j ACCEPT
-I INPUT -p tcp -s 00.000.000.00  --dport 5432 -j ACCEPT

I run the same ncat command, I get Ncat: Connection refused

I use the same base firewalls (not what is listed above) on another server for serving redis and it works correctly.

firewalld has been disabled on this box in favor of iptables, mostly for familiarity purposes.

Both machines are CentOS 7

00.000.000.00 replaces the IP of the computer I am actually using

Best Answer

centos7 uses firewall-cmd out of the box, unless you have disabled it. I assume you have not because you would have mentioned it otherwise.

With that assumption in place, then you can simply run this on your postgresql host:

firewall-cmd --add-service=postgresql

Once you have verified that it works, then you can run it again with the permanent switch to make it stick after reboots:

firewall-cmd --add-service=postgresql --permanent

If you install the bash-completion package, after re-logging in, firewall-cmd autocompletes, making it really easy to use.

Edit: OP indicates he does not use firewall-cmd. So assuming he uses the old iptables service, then the canonical way to modify is to edit /etc/sysconfig/iptables.

If you want to allow incoming connections to port 5432/tcp in that host, then you need to add this line

-A INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT

before

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

and the reload the iptables service. This will of course allow all connections to the database server from any host.

If you want to limit what hosts may connect (let's limit it to one, 111.222.111.222), then:

-A INPUT -p tcp -s 111.222.111.222 --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT

That should do it, remove the other one, of course, and reload the iptables service

Related Solutions

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Linux – Unable to make outbound SNMP connections when IPTables is enabled

You must put

ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

before RH-Firewall-1-INPUT because of on RH-Firewall-1-INPUT rules there is REJECT on the end of line, the iptables read from top to down.

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 2 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

If you want to add using command line, you can use:

 iptables -I OUTPUT 1 -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I INPUT 1 -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

It should be like:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED
 2 RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Best Answer

Related Solutions

Iptables – ftp tls firewalled :(

Linux – Unable to make outbound SNMP connections when IPTables is enabled

Related Topic