Eu não sou um sysadmin, muito menos um sysadmin do RHEL, mas por alguma razão eu tenho que fazer algumas mudanças de configuração em alguns servidores RHEL.
Eu preciso configurar alguns serviços em diferentes servidores RHEL e eles devem poder se conectar uns aos outros. Em um deles, o servidor de aplicativos, consegui abrir a porta 8080 no iptables e ele está aceitando conexões de entrada de máquinas remotas. Mas, do outro, o servidor de banco de dados, parece que não consigo abrir a porta 54321, que o Monet DB está usando atualmente, e posso conectar-me a ela somente se eu parar o iptables.
Saída de netstat -lnp :
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 4252/./hpiod
tcp 0 0 0.0.0.0:777 0.0.0.0:* LISTEN 3987/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3942/portmap
tcp 0 0 0.0.0.0:54321 0.0.0.0:* LISTEN 2792/monetdbd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4273/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4285/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4347/sendmail
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 4257/python
udp 0 0 0.0.0.0:771 0.0.0.0:* 3987/rpc.statd
udp 0 0 0.0.0.0:774 0.0.0.0:* 3987/rpc.statd
udp 1912 0 0.0.0.0:41740 0.0.0.0:* 2792/monetdbd
udp 0 0 0.0.0.0:48280 0.0.0.0:* 4469/avahi-daemon
udp 0 0 0.0.0.0:54321 0.0.0.0:* 2792/monetdbd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 4469/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 3942/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 4285/cupsd
udp 0 0 10.1.1.152:123 0.0.0.0:* 4313/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 4313/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 4313/ntpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 10042 3348/iscsid @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 443552 2792/monetdbd /tmp/.s.monetdb.54321
unix 2 [ ACC ] STREAM LISTENING 443556 2792/monetdbd /tmp/.s.merovingian.54321
unix 2 [ ACC ] STREAM LISTENING 15085 4599/gam_server @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 11367 4065/sdpd /var/run/sdp
unix 2 [ ACC ] STREAM LISTENING 14449 4411/xfs /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 14994 4548/gdm-binary /tmp/.gdm_socket
unix 2 [ ACC ] STREAM LISTENING 443673 2806/mserver5 /home/pentaho/tumsdw/tumsdw/.mapi.sock
unix 2 [ ACC ] STREAM LISTENING 15024 4594/Xorg /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 11476 4136/pcscd /var/run/pcscd.comm
unix 2 [ ACC ] STREAM LISTENING 11507 4146/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 13088 4049/python /var/run/setroubleshoot/setroubleshoot_server
unix 2 [ ACC ] STREAM LISTENING 13764 4285/cupsd /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 10025 3342/iscsiuio @ISCSID_UIP_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 14629 4469/avahi-daemon /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 14204 4373/gpm /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 11533 4155/hald @/var/run/hald/dbus-ETzjGIzvFr
unix 2 [ ACC ] STREAM LISTENING 11532 4155/hald @/var/run/hald/dbus-8lZKbUmyAE
unix 2 [ ACC ] STREAM LISTENING 10262 3457/mcstransd /var/run/setrans/.setrans-unix
unix 2 [ ACC ] STREAM LISTENING 10659 3798/audispd /var/run/audispd_events
unix 2 [ ACC ] STREAM LISTENING 11238 4037/dbus-daemon /var/run/dbus/system_bus_socket
E conteúdo de /etc/sysconfig/iptables :
# Generated by iptables-save v1.3.5 on Wed Oct 29 17:00:09 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:16246]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 54321 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Oct 29 17:00:09 2014
# Generated by iptables-save v1.3.5 on Wed Oct 29 17:00:09 2014
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [2:170]
:OUTPUT ACCEPT [2:170]
COMMIT
# Completed on Wed Oct 29 17:00:09 2014
Tanto quanto eu posso dizer, esta configuração corresponde exatamente a dos outros servidores (exceto a mudança da porta 8080 para 54321), mas com o iptables iniciado eu não consigo me conectar a ela remotamente (eu posso conectar localmente sem problema, no entanto) .
Alguma opinião?
Tags networking iptables rhel-5