Thursday, February 26, 2015

some new tricks for old dogs

Recently I've configured a small box with Fedora 21 Linux. I've done all my tasks inside the system with no issues and tested web services access outside. The real surprise was blocked access to standard http/https ports, while upper ports were quite accessible.
I'm an old dog, I'm really are. I know what it means when I see such page.


I see firewall. Especially if I can connect locally. Well, let's keep in mind systemcmd instead of good old services.

[root@fed21 ~]# systemctl status iptables
â iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

[root@fed21 ~]# systemctl status ip6tablesâ ip6tables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

[root@fed21 ~]# sestatus
SELinux status:                 disabled
[root@fed21 ~]#


Looks pretty open, doesn't it? Actually it does not! Behold the new tricks with firewallD!
Hope I could save you couple hours and give you a hint.
So let's check firewall status:

[root@fed21 ~]# firewall-cmd --list-all
FedoraWorkstation (default, active)
  interfaces: enp0s3
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:


Ok, It block access to ports below 1025 (1025-65536/tcp) for interface enp0s3. Let's find how to fix it. You may use port range, I've stuck with two main ports

[root@fed21 ~]# firewall-cmd --add-port=80/tcp
success
[root@fed21 ~]# firewall-cmd --add-port=443/tcp
success


Now I have access to my browser outside the box. By the way if you want to keep this changes, I bet you do just add --permanent option.

[root@fed21 ~]# firewall-cmd --list-all
FedoraWorkstation (default, active)
  interfaces: enp0s3
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 443/tcp 80/tcp 1025-65535/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

If your Apache still not available, reload firewall parameters with command:

[root@fed21 ~]# firewall-cmd --reload
success



Hey I've just learned new tricks, what about you?
Post a Comment