Bug 586685 - iptables prevents ssh login to newly installed machine
iptables prevents ssh login to newly installed machine
Status: CLOSED DUPLICATE of bug 568528
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: Triaged
Depends On:
Blocks: F13Blocker/F13FinalBlocker
  Show dependency treegraph
 
Reported: 2010-04-28 03:23 EDT by Tony Molloy
Modified: 2010-05-03 10:25 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-03 10:25:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tony Molloy 2010-04-28 03:23:45 EDT
Description of problem:

The default iptables configuration on installation of Fedora 13 does not allow you to ssh into the machine as root after installation.

This was available on Fedora 12.

Version-Release number of selected component (if applicable):

iptables-1.4.6-2.fc13.x86_64

How reproducible:

Every time

Steps to Reproduce:

1. Install Fedora-13 Beta
2. Reboot and run firstboot
3. As you can't login as root to the GUI try to ssh in as root. You can't 
   because the default iptables settings don't open the ssh port.
  
Actual results:

You can't ssh in as root to a newly installed machine

Expected results:

I'd expect to be able to ssh in as root to a newly installed machine.

Additional info:
Comment 1 Adam Williamson 2010-04-29 05:56:40 EDT
Marking as F13Blocker per list + blocker meeting discussion.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Adam Williamson 2010-04-30 14:29:12 EDT
Tony, can you please urgently clarify for us exactly what kind of install you tested, from what Fedora 13 image (beta? nightly? something else?), and what iptables configuration resulted exactly? Thanks. We need this info ASAP - any changes have to be done by Tuesday.

This was discussed at today's blocker review meeting. I think our expected behaviour is that if doing a traditional install, via the network, the installed system should be connected to the network and accessible via ssh directly as root on the first boot after install.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 3 James Laska 2010-04-30 15:50:47 EDT
Default iptables rules after an F-13-Final-TC1 installation.  Port 22 is blocked.  Unclear if this is an intentional change or not.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Comment 4 James Laska 2010-04-30 15:52:15 EDT
Note, the /root/anaconda-ks.cfg generated for the manual install performed in comment#3, includes the line:

firewall --service=ssh

So there seems to be the expectation that port 22 should be open.
Comment 5 Tony Molloy 2010-05-01 04:03:01 EDT
I did a standard NFS install using the original Fedora 13 Beta rpms

iptables-1.4.6-2.fc13.x86_64.rpm
system-config-firewall-1.2.23-1.fc13.noarch.rpm

Then I ran firstboot. I logged in as an ordinary user and everything including the network seemed fine. I could ping around my test network ok and other machines on my test network could ping the machine.

Then as I couldn't login to the GUI as root I tried to ssh in as root to run some configuration scripts I use.

I got a "no route to host" error.

When I finally tracked down the cause I had the following iptables configuration.

[root@fedora-test ~]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I added the following line to allow ssh logins

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

restarted iptables and everything worked as expected.


In the anaconda-ks.cfg generated I have the following entries.

selinux --enforcing
authconfig --enableshadow --passalgo=sha512 --enablefingerprint
firewall --service=ssh

This suggests that ssh should be allowed through the firewall by default.

Sorry for the delay but the e-mail arrived after end of work on friday ;-)

Hope this helps.
Comment 6 Thomas Woerner 2010-05-03 05:06:33 EDT
This should be the same as #568528.
Comment 7 Martin Sivák 2010-05-03 07:44:32 EDT
This really looks like #568528.
Comment 8 Thomas Woerner 2010-05-03 10:25:24 EDT

*** This bug has been marked as a duplicate of bug 568528 ***

Note You need to log in before you can comment on or make changes to this bug.