<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    You probably need outbound DNS (tcp/53, udp/53) for Yum to work
    properly.  Depending on your routing, you may need other protocols,
    too.<br>
    <br>
    Egress filtering is pretty advanced to start with in iptables; you
    may want to profile your usage, maybe read a book or a few websites
    on firewall rule design, before you tackle it.  The old chestnut
    _Building Internet Firewalls_ or something like that, maybe?<br>
    <br>
    <div class="moz-cite-prefix">On 2015-05-13 16:20, Rick Hornsby
      wrote:<br>
    </div>
    <blockquote
      cite="mid:5E2A42E9-C5D9-4DBA-9AD1-040B2467D18B@gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <br class="">
      <div>
        <blockquote type="cite" class="">
          <div class="">On May 13, 2015, at 15:02, Steve VanSlyck &lt;<a
              moz-do-not-send="true"
              href="mailto:s.vanslyck@postpro.net" class="">s.vanslyck@postpro.net</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <div class="">
            <title class=""></title>
            <div class="">I cannot figure out why yum is being blocked.
              I understood it requried only ports 80 and 443. The below
              is from my script:<br class="">
            </div>
          </div>
        </blockquote>
        <div>...</div>
        <div>
          <blockquote type="cite" class="">
            <div class="">
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, 'courier new', monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: rgb(255, 0, 0);">read -p "Allow http
                      traffic?"</span><span class="colour" style="color:
                      rgb(255, 0, 0);"><br class="">
                    </span></b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, 'courier new', monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: rgb(255, 0, 0);">iptables -A INPUT
                      -p tcp -m tcp --dport 80 -j ACCEPT</span><span
                      class="colour" style="color: rgb(255, 0, 0);"><br
                        class="">
                    </span></b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, 'courier new', monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: rgb(255, 0, 0);">read -p "Allow
                      https traffic?"</span><span class="colour"
                      style="color: rgb(255, 0, 0);"><br class="">
                    </span></b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, 'courier new', monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: rgb(255, 0, 0);">iptables -A INPUT
                      -p tcp -m tcp --dport 443 -j ACCEPT</span></b></span></div>
            </div>
          </blockquote>
          <br class="">
        </div>
        <div>Looks like your INPUT and OUTPUT are backwards.</div>
        <div><br class="">
        </div>
        <div>You need to allow OUTBOUND traffic to ports 80 and/or 443
          to access remote yum repositories.  But you are also using a
          paranoid DROP policy on your output chain.</div>
        <div><br class="">
        </div>
        <div>Something else I noticed -</div>
        <div><br class="">
        </div>
        <div>
          <blockquote type="cite" class="">
            <div class="">
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, 'courier new', monospace,
                  sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j
                    ACCEPT</b></span></div>
            </div>
          </blockquote>
        </div>
        <div><br class="">
        </div>
        <div>It looks like you're only allowing all outbound traffic on
          the interface ppp0, which is not normally what I'd expect to
          see unless you're using some kind of dialup or VPN *outbound*
          to provide the host connectivity.  Usually if an interface is
          being specified, I'd expect to see eth0, or in the case of
          CentOS 7 something along the lines of enp0s3.  Either changing
          this, or fixing the two rules that you highlighted will
          probably do the trick.</div>
        <div><br class="">
        </div>
        <div><br class="">
        </div>
        <div>one other note - at least for testing purposes you might
          want to use REJECT instead of DROP.  When you use DROP the
          firewall does exactly what the word implies - it silently
          drops the packets to the floor and the application has no idea
          anything is wrong.  It is forced to time out waiting for a
          response that will never come.  With REJECT iptables sends an
          ICMP response immediately. That should help speed up your
          development and troubleshooting greatly.</div>
        <div><br class="">
        </div>
        <div><a moz-do-not-send="true"
            href="http://ipset.netfilter.org/iptables.man.html" class="">http://ipset.netfilter.org/iptables.man.html</a></div>
        <div><br class="">
        </div>
        <br class="">
        <blockquote type="cite" class="">
          <div class="">
            <div class=""><br class="">
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Flush all current
                    rules?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -F<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Accept connections
                    to the loopback interface (localhost)?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A INPUT -i lo -j
                    ACCEPT<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Accept connections
                    from the loopback interface (localhost)?"<br
                      class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A OUTPUT -o lo -j
                    ACCEPT<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Allow outgoing
                    connections?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j
                    ACCEPT<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Drop all pings?"<br
                      class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A INPUT -p icmp
                    --icmp-type echo-request -j DROP<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Accept requested
                    inbound traffic?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A INPUT -i ppp0 -m
                    state --state ESTABLISHED,RELATED -j ACCEPT<br
                      class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Accept new and
                    established ssh from specified IP?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A INPUT -p tcp -s
                    107.132.57.128 --dport ssh -m state --state
                    NEW,ESTABLISHED -j ACCEPT<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Allow established
                    ssh to specified IP?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A OUTPUT -p tcp -d
                    107.132.57.128 --sport 22 -m state --state
                    ESTABLISHED -j ACCEPT<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Drop all other ssh
                    attempts?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -A INPUT -p tcp
                    --dport ssh -j DROP<br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: #ff0000">read -p "Allow http
                      traffic?"</span><span class="colour" style="color:
                      #ff0000"><br class="">
                    </span></b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: #ff0000">iptables -A INPUT -p tcp -m
                      tcp --dport 80 -j ACCEPT</span><span
                      class="colour" style="color: #ff0000"><br class="">
                    </span></b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: #ff0000">read -p "Allow https
                      traffic?"</span><span class="colour" style="color:
                      #ff0000"><br class="">
                    </span></b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class=""><span class="colour"
                      style="color: #ff0000">iptables -A INPUT -p tcp -m
                      tcp --dport 443 -j ACCEPT</span><br class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Set policy: Drop
                    forwarding connections?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -P FORWARD DROP<br
                      class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Set policy: Drop
                    other incoming connections?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -P INPUT DROP<br
                      class="">
                  </b></span></div>
              <div class=""> </div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">read -p "Set policy: Drop
                    outgoing connections?"<br class="">
                  </b></span></div>
              <div class=""><span class="font" style="font-family:
                  menlo, consolas, &quot;courier new&quot;, monospace,
                  sans-serif;"><b class="">iptables -P OUTPUT DROP</b></span><br
                  class="">
              </div>
            </div>
            _______________________________________________<br class="">
            colug-432 mailing list<br class="">
            <a moz-do-not-send="true" href="mailto:colug-432@colug.net"
              class="">colug-432@colug.net</a><br class="">
            <a class="moz-txt-link-freetext" href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a><br
              class="">
          </div>
        </blockquote>
      </div>
      <br class="">
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
colug-432 mailing list
<a class="moz-txt-link-abbreviated" href="mailto:colug-432@colug.net">colug-432@colug.net</a>
<a class="moz-txt-link-freetext" href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>