<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>So . on the first issue . I need to add these two out rules?<br></div>
<div> </div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b><span class="colour" style="color: #ff0000">read -p "Allow outbound http traffic?"</span><span class="colour" style="color: #ff0000"><br></span></b></span></div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b><span class="colour" style="color: #ff0000">iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT# Allow </span><b><span class="colour" style="color: #ff0000">out</span></b><span class="colour" style="color: #ff0000">bound http traffic</span><span class="colour" style="color: #ff0000"><br></span></b></span></div>
<div> </div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b><span class="colour" style="color: #ff0000">read -p "Allow </span><b><span class="colour" style="color: #ff0000">out</span></b><span class="colour" style="color: #ff0000">bound https traffic?"</span><span class="colour" style="color: #ff0000"><br></span></b></span></div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b><span class="colour" style="color: #ff0000">iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT# Allow </span><b><span class="colour" style="color: #ff0000">out</span></b><span class="colour" style="color: #ff0000">bound https traffic</span><span class="colour" style="color: #ff0000"><br></span></b></span></div>
<div> </div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b>read -p "Allow inbound http traffic?"<br></b></span></div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b>iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT# Allow inbound http traffic<br></b></span></div>
<div> </div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b>read -p "Allow inbound https traffic?"<br></b></span></div>
<div><span class="font" style="font-family: menlo, consolas, "courier new", monospace, sans-serif;"><b>iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT# Allow inbound https traffic<br></b></span></div>
<div> </div>
<div> </div>
<div> </div>
<div>On Wed, May 13, 2015, at 16:20, Rick Hornsby wrote:<br></div>
<blockquote type="cite"><div> </div>
<div><blockquote type="cite"><div>On May 13, 2015, at 15:02, Steve VanSlyck <<a href="mailto:s.vanslyck@postpro.net">s.vanslyck@postpro.net</a>> wrote:<br></div>
<div> </div>
<div><div>I cannot figure out why yum is being blocked. I understood it requried only ports 80 and 443. The below is from my script:<br></div>
</div>
</blockquote><div>...<br></div>
<div><blockquote type="cite"><div><div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">read -p "Allow http traffic?"</span></b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</span></b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">read -p "Allow https traffic?"</span></b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT</span></b></span><br></div>
</div>
</blockquote><div> </div>
</div>
<div>Looks like your INPUT and OUTPUT are backwards.<br></div>
<div> </div>
<div>You need to allow OUTBOUND traffic to ports 80 and/or 443 to access remote yum repositories. But you are also using a paranoid DROP policy on your output chain.<br></div>
<div> </div>
<div>Something else I noticed -<br></div>
<div> </div>
<div><blockquote type="cite"><div><div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A OUTPUT -o ppp0 -j ACCEPT</b></span><br></div>
</div>
</blockquote></div>
<div> </div>
<div>It looks like you're only allowing all outbound traffic on the interface ppp0, which is not normally what I'd expect to see unless you're using some kind of dialup or VPN *outbound* to provide the host connectivity. Usually if an interface is being specified, I'd expect to see eth0, or in the case of CentOS 7 something along the lines of enp0s3. Either changing this, or fixing the two rules that you highlighted will probably do the trick.<br></div>
<div> </div>
<div> </div>
<div>one other note - at least for testing purposes you might want to use REJECT instead of DROP. When you use DROP the firewall does exactly what the word implies - it silently drops the packets to the floor and the application has no idea anything is wrong. It is forced to time out waiting for a response that will never come. With REJECT iptables sends an ICMP response immediately. That should help speed up your development and troubleshooting greatly.<br></div>
<div> </div>
<div><a href="http://ipset.netfilter.org/iptables.man.html">http://ipset.netfilter.org/iptables.man.html</a><br></div>
<div> </div>
<div> </div>
<blockquote type="cite"><div><div><div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Flush all current rules?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -F</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Accept connections to the loopback interface (localhost)?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A INPUT -i lo -j ACCEPT</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Accept connections from the loopback interface (localhost)?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A OUTPUT -o lo -j ACCEPT</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Allow outgoing connections?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A OUTPUT -o ppp0 -j ACCEPT</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Drop all pings?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A INPUT -p icmp --icmp-type echo-request -j DROP</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Accept requested inbound traffic?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Accept new and established ssh from specified IP?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Allow established ssh to specified IP?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state ESTABLISHED -j ACCEPT</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Drop all other ssh attempts?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -A INPUT -p tcp --dport ssh -j DROP</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">read -p "Allow http traffic?"</span></b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</span></b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">read -p "Allow https traffic?"</span></b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b><span class="colour" style="color:rgb(255, 0, 0)">iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT</span></b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Set policy: Drop forwarding connections?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -P FORWARD DROP</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Set policy: Drop other incoming connections?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -P INPUT DROP</b></span><br></div>
<div> </div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>read -p "Set policy: Drop outgoing connections?"</b></span><br></div>
<div><span class="font" style="font-family:menlo, consolas, 'courier new', monospace, sans-serif"><b>iptables -P OUTPUT DROP</b></span><br></div>
</div>
<div>_______________________________________________<br></div>
<div>colug-432 mailing list<br></div>
<div><a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br></div>
<div>http://lists.colug.net/mailman/listinfo/colug-432<br></div>
</div>
</blockquote></div>
<div> </div>
<div><u>_______________________________________________</u><br></div>
<div>colug-432 mailing list<br></div>
<div><a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br></div>
<div><a href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a><br></div>
</blockquote><div> </div>
</body>
</html>