Description of problem: Tried to open port 25 through shell, webmin package as well as built-in firewall admin package. following line is present in /etc/sysconfig/iptables -A INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT Even webmin and firewall admin packages show the same. BUT nmap localhost/<my ip address> do not shot the port as 'open'. Version-Release number of selected component (if applicable): iptables-1.4.3.1-1.fc11.x86_64 nmap-5.00-1.fc11.x86_64 How reproducible: Always Steps to Reproduce: 1. open port 25 through shell 2. service iptables restart 3. nmap localhost Actual results: port 25 closed Expected results: port 25 open Additional info: nmap may not be having any problem because configtest.php of 'squirrelmail' package is also mentioning that port 25 is closed. Also telnet to port 25 > connection refused. Is it really a bug? or am I missing something?
Where have you added the line? Please make sure that you are adding the line before a reject rule. Please attach the complete file.
Yes of course! I have added it before reject rule. Take a look at the file. # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 993 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 995 --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Generated by webmin *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by webmin *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed
the case is same with other ports such as 80, 443
The configuration is ok and it is opening for example port 25 without and problems. Have you installed any other firewall tools besides system-config-firewall?
No, I have not installed any other firewall. And using the above procedure I could be able to open port 22. But immediately after that when I tried to open port 80 and 25, iptables not opening them. I am facing this problem since last week. Actually sometime it worked and sometime not. And now its not working at all.
Please attach the output of iptables-save.
Created attachment 362522 [details] output of iptables-save
This configuration is ok and working as expected. Also nmap shows the correct output for the eth0 IP address. Are you trying to connect to port 25 on the eth0 interface? This will not work, because the mailers are not binding to eth* by default, only to lo.
Do you have httpd and sendmail running with non-localhost configurations? If not then this is the reason nmap will not report the ports as beeing open. No one is listening.
I resolved the issue with reinstalling httpd and sendmail. Now everything works fine. I can open/close the ports through /etc/sysconfig/iptables and the same reflects through nmap whenever there is a service listening on that port. Sorry for the trouble. But now I can't provide much info about the previous configuration.
Closing as NOT A BUG.