<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On May 13, 2015, at 15:02, Steve VanSlyck <<a href="mailto:s.vanslyck@postpro.net" class="">s.vanslyck@postpro.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<title class=""></title>
<div class="">I cannot figure out why yum is being blocked. I understood it requried only ports 80 and 443. The below is from my script:<br class=""></div></div></blockquote><div>...</div><div><blockquote type="cite" class=""><div class=""><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace, sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0, 0);">read -p "Allow http traffic?"</span><span class="colour" style="color: rgb(255, 0, 0);"><br class=""></span></b></span></div><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace, sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0, 0);">iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</span><span class="colour" style="color: rgb(255, 0, 0);"><br class=""></span></b></span></div><div class=""> </div><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace, sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0, 0);">read -p "Allow https traffic?"</span><span class="colour" style="color: rgb(255, 0, 0);"><br class=""></span></b></span></div><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace, sans-serif;"><b class=""><span class="colour" style="color: rgb(255, 0, 0);">iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT</span></b></span></div></div></blockquote><br class=""></div><div>Looks like your INPUT and OUTPUT are backwards.</div><div><br class=""></div><div>You need to allow OUTBOUND traffic to ports 80 and/or 443 to access remote yum repositories. But you are also using a paranoid DROP policy on your output chain.</div><div><br class=""></div><div>Something else I noticed -</div><div><br class=""></div><div><blockquote type="cite" class=""><div class=""><div class=""><span class="font" style="font-family: menlo, consolas, 'courier new', monospace, sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j ACCEPT</b></span></div></div></blockquote></div><div><br class=""></div><div>It looks like you're only allowing all outbound traffic on the interface ppp0, which is not normally what I'd expect to see unless you're using some kind of dialup or VPN *outbound* to provide the host connectivity. Usually if an interface is being specified, I'd expect to see eth0, or in the case of CentOS 7 something along the lines of enp0s3. Either changing this, or fixing the two rules that you highlighted will probably do the trick.</div><div><br class=""></div><div><br class=""></div><div>one other note - at least for testing purposes you might want to use REJECT instead of DROP. When you use DROP the firewall does exactly what the word implies - it silently drops the packets to the floor and the application has no idea anything is wrong. It is forced to time out waiting for a response that will never come. With REJECT iptables sends an ICMP response immediately. That should help speed up your development and troubleshooting greatly.</div><div><br class=""></div><div><a href="http://ipset.netfilter.org/iptables.man.html" class="">http://ipset.netfilter.org/iptables.man.html</a></div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""><div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Flush all current rules?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -F<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept connections to the loopback interface (localhost)?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -i lo -j ACCEPT<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept connections from the loopback interface (localhost)?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A OUTPUT -o lo -j ACCEPT<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Allow outgoing connections?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j ACCEPT<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Drop all pings?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept requested inbound traffic?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Accept new and established ssh from specified IP?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Allow established ssh to specified IP?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state ESTABLISHED -j ACCEPT<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Drop all other ssh attempts?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -A INPUT -p tcp --dport ssh -j DROP<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">read -p "Allow http traffic?"</span><span class="colour" style="color: #ff0000"><br class=""></span></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</span><span class="colour" style="color: #ff0000"><br class=""></span></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">read -p "Allow https traffic?"</span><span class="colour" style="color: #ff0000"><br class=""></span></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class=""><span class="colour" style="color: #ff0000">iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT</span><br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Set policy: Drop forwarding connections?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -P FORWARD DROP<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Set policy: Drop other incoming connections?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -P INPUT DROP<br class=""></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">read -p "Set policy: Drop outgoing connections?"<br class=""></b></span></div>
<div class=""><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b class="">iptables -P OUTPUT DROP</b></span><br class=""></div>
</div>
_______________________________________________<br class="">colug-432 mailing list<br class=""><a href="mailto:colug-432@colug.net" class="">colug-432@colug.net</a><br class="">http://lists.colug.net/mailman/listinfo/colug-432<br class=""></div></blockquote></div><br class=""></body></html>