Description of problem: The default iptables configuration on installation of Fedora 13 does not allow you to ssh into the machine as root after installation. This was available on Fedora 12. Version-Release number of selected component (if applicable): iptables-1.4.6-2.fc13.x86_64 How reproducible: Every time Steps to Reproduce: 1. Install Fedora-13 Beta 2. Reboot and run firstboot 3. As you can't login as root to the GUI try to ssh in as root. You can't because the default iptables settings don't open the ssh port. Actual results: You can't ssh in as root to a newly installed machine Expected results: I'd expect to be able to ssh in as root to a newly installed machine. Additional info:
Marking as F13Blocker per list + blocker meeting discussion. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Tony, can you please urgently clarify for us exactly what kind of install you tested, from what Fedora 13 image (beta? nightly? something else?), and what iptables configuration resulted exactly? Thanks. We need this info ASAP - any changes have to be done by Tuesday. This was discussed at today's blocker review meeting. I think our expected behaviour is that if doing a traditional install, via the network, the installed system should be connected to the network and accessible via ssh directly as root on the first boot after install. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Default iptables rules after an F-13-Final-TC1 installation. Port 22 is blocked. Unclear if this is an intentional change or not. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Note, the /root/anaconda-ks.cfg generated for the manual install performed in comment#3, includes the line: firewall --service=ssh So there seems to be the expectation that port 22 should be open.
I did a standard NFS install using the original Fedora 13 Beta rpms iptables-1.4.6-2.fc13.x86_64.rpm system-config-firewall-1.2.23-1.fc13.noarch.rpm Then I ran firstboot. I logged in as an ordinary user and everything including the network seemed fine. I could ping around my test network ok and other machines on my test network could ping the machine. Then as I couldn't login to the GUI as root I tried to ssh in as root to run some configuration scripts I use. I got a "no route to host" error. When I finally tracked down the cause I had the following iptables configuration. [root@fedora-test ~]# more /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT I added the following line to allow ssh logins -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT restarted iptables and everything worked as expected. In the anaconda-ks.cfg generated I have the following entries. selinux --enforcing authconfig --enableshadow --passalgo=sha512 --enablefingerprint firewall --service=ssh This suggests that ssh should be allowed through the firewall by default. Sorry for the delay but the e-mail arrived after end of work on friday ;-) Hope this helps.
This should be the same as #568528.
This really looks like #568528.
*** This bug has been marked as a duplicate of bug 568528 ***