I am trying to open up ports in CentOS's firewall and am having a terrible go at it. I have followed the "HowTo" here: http://wiki.centos.org/HowTos/Network/IPTables as well as a few other places on the Net but I still can't get the bloody thing to work.
Basically I wanted to get two things working: VNC and Apache over the internal network. The problem is that the firewall is blocking all attempts to connect to these services. Now if I issue
service iptables stop
and then try to access the server via VNC or hit the webserver everything works as expected. However the moment I turn iptables back on all of my access is blocked. Below is a truncated version of my iptables file as it appears in vi
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5801 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6001 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Really I would just be happy if I could get port 80 opened up for Apache since I can do most stuff via putty but if I could figure out VNC as well that would be cool. As far as VNC goes there is just a single/user desktop that I am trying to connect to via: [ipaddress]:1
Any help would be greatly appreciated!
Best Answer
Assuming that you don't have any REJECT/DROP statements above, all you need to do for an internal network (let's say that you're on 10.1.1.x and want all hosts in that range) is a statement such as:
-A RH-Firewall-1-INPUT -s 10.1.1.0/24 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
and follow this for each additional port. Check the top of the file and make sure that
:RH-Firewall-1-INPUT - [0:0]
is present or use the standard-A INPUT
instead.! Keep in mind that iptables is processed top to bottom. !
If this doesn't work, post your whole conf or move your DROP or REJECT line to the end of the file (but above COMMIT).
Make sure to do a
/sbin/service iptables reload
after.