<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii" /><title class=""></title></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><p dir="ltr">Yes, I am aware of the paranoid drop chain but I'm not yet knowledgeable enough to repair it properly. This particular policy will only be in place while the script is running, but I am aware that I still need to learn a lot more.</p>
<p dir="ltr">On the upside, Rick, if I continue down this path it won't be long before I change from being a "question king" to a question answerer.</p>
<p dir="ltr">I am very much aware that Linux must, essentially, be self taught. I'm grateful for this group.</p>
<br><br><div class="gmail_quote">On May 13, 2015 4:20:01 PM EDT, Rick Hornsby <richardjhornsby@gmail.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br class="" /><div><blockquote type="cite" class=""><div class="">On May 13, 2015, at 15:02, Steve VanSlyck <<a href="mailto:s.vanslyck@postpro.net" class="">s.vanslyck@postpro.net</a>> wrote:</div><br class="Apple-interchange-newline" /><div class="">
<div class="">I cannot figure out why yum is being blocked. I understood it requried only ports 80 and 443. The below is from my script:<br class="" /></div></div></blockquote><div>...</div><div><blockquote type="cite" class=""><div class=""><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace, sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0, 0);">read -p "Allow http traffic?"</span><span class="colour" style="color: rgb(255, 0, 0);"><br class="" /></span></b></span></div><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace, sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0, 0);">iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</span><span class="colour" style="color: rgb(255, 0, 0);"><br class="" /></span></b></span></div><div class=""> </div><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace,
sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0,
0);">read -p "Allow https traffic?"</span><span class="colour"
style="color: rgb(255, 0, 0);"><br class=""
/></span></b></span></div><div class=""><span class="font"
style="font-family: menlo, consolas, 'courier new', monospace,
sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0,
0);">iptables -A INPUT -p tcp -m tcp --dport 443 -j
ACCEPT</span></b></span></div></div></blockquote><br class=""
/></div><div>Looks like your INPUT and OUTPUT are
backwards.</div><div><br class="" /></div><div>You need to allow
OUTBOUND traffic to ports 80 and/or 443 to access remote yum
repositories. But you are also using a paranoid DROP policy on
your output chain.</div><div><br class="" /></div><div>Something else I
noticed -</div><div><br class="" /></div><div><blockquote type="cite"
class=""><div class=""><div class=""><span class="font"
style="font-family: menlo, consolas, 'courier new', monospace,
sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j ACCEPT</b></span></div></div></blockquote></div><div><br class="" /></div><div>It looks like you're only allowing all outbound traffic on the interface ppp0, which is not normally what I'd expect to see unless you're using some kind of dialup or VPN *outbound* to provide the host connectivity. Usually if an interface is being specified, I'd expect to see eth0, or in the case of CentOS 7 something along the lines of enp0s3. Either changing this, or fixing the two rules that you highlighted will probably do the trick.</div><div><br class="" /></div><div><br class="" /></div><div>one other note - at least for testing purposes you might want to use REJECT instead of DROP. When you use DROP the firewall does exactly what the word implies - it silently drops the packets to the floor and the application has no idea anything is wrong. It is forced to time out waiting for a response that will never come.
With REJECT iptables sends an ICMP response immediately. That should help speed up your development and troubleshooting greatly.</div><div><br class="" /></div><div><a href="http://ipset.netfilter.org/iptables.man.html" class="">http://ipset.netfilter.org/iptables.man.html</a></div><div><br class="" /></div><br class="" /><blockquote type="cite" class=""><div class=""><div class=""><br class="" /><div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Flush all current rules?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -F<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept connections to the loopback interface (localhost)?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -i lo -j ACCEPT<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept connections from the loopback interface (localhost)?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A OUTPUT -o lo -j ACCEPT<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Allow outgoing connections?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j ACCEPT<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Drop all pings?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept requested inbound traffic?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept new and established ssh from specified IP?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Allow established ssh to specified IP?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state ESTABLISHED -j ACCEPT<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Drop all other ssh attempts?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -p tcp --dport ssh -j DROP<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">read -p "Allow http traffic?"</span><span class="colour" style="color: #ff0000"><br class="" /></span></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</span><span class="colour" style="color: #ff0000"><br class="" /></span></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">read -p "Allow https traffic?"</span><span class="colour" style="color: #ff0000"><br class="" /></span></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT</span><br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Set policy: Drop forwarding connections?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -P FORWARD DROP<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Set policy: Drop other incoming connections?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -P INPUT DROP<br class="" /></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Set policy: Drop outgoing connections?"<br class="" /></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -P OUTPUT DROP</b></span><br class="" /></div>
</div>
_______________________________________________<br class="" />colug-432 mailing list<br class="" /><a href="mailto:colug-432@colug.net" class="">colug-432@colug.net</a><br class="" />http://lists.colug.net/mailman/listinfo/colug-432<br class="" /></div></blockquote></div><br class="" /><p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />colug-432 mailing list<br />colug-432@colug.net<br /><a href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a><br /></pre></blockquote></div></body></html>