<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You probably need outbound DNS (tcp/53, udp/53) for Yum to work
properly. Depending on your routing, you may need other protocols,
too.<br>
<br>
Egress filtering is pretty advanced to start with in iptables; you
may want to profile your usage, maybe read a book or a few websites
on firewall rule design, before you tackle it. The old chestnut
_Building Internet Firewalls_ or something like that, maybe?<br>
<br>
<div class="moz-cite-prefix">On 2015-05-13 16:20, Rick Hornsby
wrote:<br>
</div>
<blockquote
cite="mid:5E2A42E9-C5D9-4DBA-9AD1-040B2467D18B@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On May 13, 2015, at 15:02, Steve VanSlyck <<a
moz-do-not-send="true"
href="mailto:s.vanslyck@postpro.net" class="">s.vanslyck@postpro.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<title class=""></title>
<div class="">I cannot figure out why yum is being blocked.
I understood it requried only ports 80 and 443. The below
is from my script:<br class="">
</div>
</div>
</blockquote>
<div>...</div>
<div>
<blockquote type="cite" class="">
<div class="">
<div class=""><span class="font" style="font-family:
menlo, consolas, 'courier new', monospace,
sans-serif;"><b class=""><span class="colour"
style="color: rgb(255, 0, 0);">read -p "Allow http
traffic?"</span><span class="colour" style="color:
rgb(255, 0, 0);"><br class="">
</span></b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, 'courier new', monospace,
sans-serif;"><b class=""><span class="colour"
style="color: rgb(255, 0, 0);">iptables -A INPUT
-p tcp -m tcp --dport 80 -j ACCEPT</span><span
class="colour" style="color: rgb(255, 0, 0);"><br
class="">
</span></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, 'courier new', monospace,
sans-serif;"><b class=""><span class="colour"
style="color: rgb(255, 0, 0);">read -p "Allow
https traffic?"</span><span class="colour"
style="color: rgb(255, 0, 0);"><br class="">
</span></b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, 'courier new', monospace,
sans-serif;"><b class=""><span class="colour"
style="color: rgb(255, 0, 0);">iptables -A INPUT
-p tcp -m tcp --dport 443 -j ACCEPT</span></b></span></div>
</div>
</blockquote>
<br class="">
</div>
<div>Looks like your INPUT and OUTPUT are backwards.</div>
<div><br class="">
</div>
<div>You need to allow OUTBOUND traffic to ports 80 and/or 443
to access remote yum repositories. But you are also using a
paranoid DROP policy on your output chain.</div>
<div><br class="">
</div>
<div>Something else I noticed -</div>
<div><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div class="">
<div class=""><span class="font" style="font-family:
menlo, consolas, 'courier new', monospace,
sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j
ACCEPT</b></span></div>
</div>
</blockquote>
</div>
<div><br class="">
</div>
<div>It looks like you're only allowing all outbound traffic on
the interface ppp0, which is not normally what I'd expect to
see unless you're using some kind of dialup or VPN *outbound*
to provide the host connectivity. Usually if an interface is
being specified, I'd expect to see eth0, or in the case of
CentOS 7 something along the lines of enp0s3. Either changing
this, or fixing the two rules that you highlighted will
probably do the trick.</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div>one other note - at least for testing purposes you might
want to use REJECT instead of DROP. When you use DROP the
firewall does exactly what the word implies - it silently
drops the packets to the floor and the application has no idea
anything is wrong. It is forced to time out waiting for a
response that will never come. With REJECT iptables sends an
ICMP response immediately. That should help speed up your
development and troubleshooting greatly.</div>
<div><br class="">
</div>
<div><a moz-do-not-send="true"
href="http://ipset.netfilter.org/iptables.man.html" class="">http://ipset.netfilter.org/iptables.man.html</a></div>
<div><br class="">
</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div class=""><br class="">
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Flush all current
rules?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -F<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Accept connections
to the loopback interface (localhost)?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A INPUT -i lo -j
ACCEPT<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Accept connections
from the loopback interface (localhost)?"<br
class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A OUTPUT -o lo -j
ACCEPT<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Allow outgoing
connections?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A OUTPUT -o ppp0 -j
ACCEPT<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Drop all pings?"<br
class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A INPUT -p icmp
--icmp-type echo-request -j DROP<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Accept requested
inbound traffic?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A INPUT -i ppp0 -m
state --state ESTABLISHED,RELATED -j ACCEPT<br
class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Accept new and
established ssh from specified IP?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A INPUT -p tcp -s
107.132.57.128 --dport ssh -m state --state
NEW,ESTABLISHED -j ACCEPT<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Allow established
ssh to specified IP?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A OUTPUT -p tcp -d
107.132.57.128 --sport 22 -m state --state
ESTABLISHED -j ACCEPT<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Drop all other ssh
attempts?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -A INPUT -p tcp
--dport ssh -j DROP<br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class=""><span class="colour"
style="color: #ff0000">read -p "Allow http
traffic?"</span><span class="colour" style="color:
#ff0000"><br class="">
</span></b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class=""><span class="colour"
style="color: #ff0000">iptables -A INPUT -p tcp -m
tcp --dport 80 -j ACCEPT</span><span
class="colour" style="color: #ff0000"><br class="">
</span></b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class=""><span class="colour"
style="color: #ff0000">read -p "Allow https
traffic?"</span><span class="colour" style="color:
#ff0000"><br class="">
</span></b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class=""><span class="colour"
style="color: #ff0000">iptables -A INPUT -p tcp -m
tcp --dport 443 -j ACCEPT</span><br class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Set policy: Drop
forwarding connections?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -P FORWARD DROP<br
class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Set policy: Drop
other incoming connections?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -P INPUT DROP<br
class="">
</b></span></div>
<div class=""> </div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">read -p "Set policy: Drop
outgoing connections?"<br class="">
</b></span></div>
<div class=""><span class="font" style="font-family:
menlo, consolas, "courier new", monospace,
sans-serif;"><b class="">iptables -P OUTPUT DROP</b></span><br
class="">
</div>
</div>
_______________________________________________<br class="">
colug-432 mailing list<br class="">
<a moz-do-not-send="true" href="mailto:colug-432@colug.net"
class="">colug-432@colug.net</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
colug-432 mailing list
<a class="moz-txt-link-abbreviated" href="mailto:colug-432@colug.net">colug-432@colug.net</a>
<a class="moz-txt-link-freetext" href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a>
</pre>
</blockquote>
<br>
</body>
</html>