Bug 524509

Summary: iptables not opening port 25
Product: [Fedora] Fedora Reporter: Digvijay Patankar <dbpatankar>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-12 11:09:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output of iptables-save none

Description Digvijay Patankar 2009-09-20 23:06:57 UTC 
Description of problem:

Tried to open port 25 through shell, webmin package as well as built-in firewall admin package.

following line is present in /etc/sysconfig/iptables
-A INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT

Even webmin and firewall admin packages show the same.

BUT

nmap localhost/<my ip address>

do not shot the port as 'open'.


Version-Release number of selected component (if applicable):
iptables-1.4.3.1-1.fc11.x86_64
nmap-5.00-1.fc11.x86_64

How reproducible:
Always

Steps to Reproduce:
1. open port 25 through shell
2. service iptables restart
3. nmap localhost
  
Actual results:
port 25 closed

Expected results:
port 25 open

Additional info:

nmap may not be having any problem because configtest.php of 'squirrelmail' package is also mentioning that port 25 is closed. Also telnet to port 25 > connection refused.
Is it really a bug? or am I missing something?
Comment 1 Thomas Woerner 2009-09-21 09:26:02 UTC 
Where have you added the line? Please make sure that you are adding the line before a reject rule. 

Please attach the complete file.
Comment 2 Digvijay Patankar 2009-09-21 09:44:21 UTC 
Yes of course! I have added it before reject rule.

Take a look at the file.



# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 993 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 995 --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
Comment 3 Digvijay Patankar 2009-09-21 10:18:45 UTC 
the case is same with other ports such as 80, 443
Comment 4 Thomas Woerner 2009-09-23 16:17:04 UTC 
The configuration is ok and it is opening for example port 25 without and problems. 

Have you installed any other firewall tools besides system-config-firewall?
Comment 5 Digvijay Patankar 2009-09-24 14:37:22 UTC 
No, I have not installed any other firewall.

And using the above procedure I could be able to open port 22.

But immediately after that when I tried to open port 80 and 25,
iptables not opening them.

I am facing this problem since last week.

Actually sometime it worked and sometime not.

And now its not working at all.
Comment 6 Thomas Woerner 2009-09-24 14:44:20 UTC 
Please attach the output of iptables-save.
Comment 7 Digvijay Patankar 2009-09-24 16:16:34 UTC 
Created attachment 362522 [details]
output of iptables-save
Comment 8 Thomas Woerner 2009-10-09 13:38:57 UTC 
This configuration is ok and working as expected. Also nmap shows the correct output for the eth0 IP address.

Are you trying to connect to port 25 on the eth0 interface? This will not work, because the mailers are not binding to eth* by default, only to lo.
Comment 9 Thomas Woerner 2009-11-11 12:55:58 UTC 
Do you have httpd and sendmail running with non-localhost configurations? If not then this is the reason nmap will not report the ports as beeing open. No one is listening.
Comment 10 Digvijay Patankar 2009-11-11 18:41:37 UTC 
I resolved the issue with reinstalling httpd and sendmail.
Now everything works fine.
I can open/close the ports through /etc/sysconfig/iptables
and the same reflects through nmap whenever there is a service listening on that port.

Sorry for the trouble. But now I can't provide much info about the previous configuration.
Comment 11 Thomas Woerner 2009-11-12 11:09:30 UTC 
Closing as NOT A BUG.