Bug 586685

Summary: iptables prevents ssh login to newly installed machine
Product: [Fedora] Fedora Reporter: Tony Molloy <tony.molloy>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: awilliam, jlaska, msivak, tmraz, twoerner
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-03 14:25:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 507681    

Description Tony Molloy 2010-04-28 07:23:45 UTC 
Description of problem:

The default iptables configuration on installation of Fedora 13 does not allow you to ssh into the machine as root after installation.

This was available on Fedora 12.

Version-Release number of selected component (if applicable):

iptables-1.4.6-2.fc13.x86_64

How reproducible:

Every time

Steps to Reproduce:

1. Install Fedora-13 Beta
2. Reboot and run firstboot
3. As you can't login as root to the GUI try to ssh in as root. You can't 
   because the default iptables settings don't open the ssh port.
  
Actual results:

You can't ssh in as root to a newly installed machine

Expected results:

I'd expect to be able to ssh in as root to a newly installed machine.

Additional info:
Comment 1 Adam Williamson 2010-04-29 09:56:40 UTC 
Marking as F13Blocker per list + blocker meeting discussion.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Adam Williamson 2010-04-30 18:29:12 UTC 
Tony, can you please urgently clarify for us exactly what kind of install you tested, from what Fedora 13 image (beta? nightly? something else?), and what iptables configuration resulted exactly? Thanks. We need this info ASAP - any changes have to be done by Tuesday.

This was discussed at today's blocker review meeting. I think our expected behaviour is that if doing a traditional install, via the network, the installed system should be connected to the network and accessible via ssh directly as root on the first boot after install.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 3 James Laska 2010-04-30 19:50:47 UTC 
Default iptables rules after an F-13-Final-TC1 installation.  Port 22 is blocked.  Unclear if this is an intentional change or not.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Comment 4 James Laska 2010-04-30 19:52:15 UTC 
Note, the /root/anaconda-ks.cfg generated for the manual install performed in comment#3, includes the line:

firewall --service=ssh

So there seems to be the expectation that port 22 should be open.
Comment 5 Tony Molloy 2010-05-01 08:03:01 UTC 
I did a standard NFS install using the original Fedora 13 Beta rpms

iptables-1.4.6-2.fc13.x86_64.rpm
system-config-firewall-1.2.23-1.fc13.noarch.rpm

Then I ran firstboot. I logged in as an ordinary user and everything including the network seemed fine. I could ping around my test network ok and other machines on my test network could ping the machine.

Then as I couldn't login to the GUI as root I tried to ssh in as root to run some configuration scripts I use.

I got a "no route to host" error.

When I finally tracked down the cause I had the following iptables configuration.

[root@fedora-test ~]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I added the following line to allow ssh logins

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

restarted iptables and everything worked as expected.


In the anaconda-ks.cfg generated I have the following entries.

selinux --enforcing
authconfig --enableshadow --passalgo=sha512 --enablefingerprint
firewall --service=ssh

This suggests that ssh should be allowed through the firewall by default.

Sorry for the delay but the e-mail arrived after end of work on friday ;-)

Hope this helps.
Comment 6 Thomas Woerner 2010-05-03 09:06:33 UTC 
This should be the same as #568528.
Comment 7 Martin Sivák 2010-05-03 11:44:32 UTC 
This really looks like #568528.
Comment 8 Thomas Woerner 2010-05-03 14:25:24 UTC 

*** This bug has been marked as a duplicate of bug 568528 ***