On Mon, Nov 2, 2009 at 10:57 AM, ken gebser@mousecar.com wrote:
On 11/02/2009 09:36 AM Rob Kampen wrote:
ken wrote:
On 10/31/2009 04:10 AM Tony Molloy wrote:
On Saturday 31 October 2009 07:48:05 hadi motamedi wrote:
Dear All To open a port , I know that I need to go to "System -> Administration -> Security Level and Firewall" -> Other ports and then I can open port-5901 as tcp protocol . Can you please do me favor and let me know how it can be done from the command line (if my CentOS is text-mode installed) ? (perhaps via iptables?) Let me thank you in advance
Edit /etc/sysconfig/iptables
Restart iptables with service iptables restart
Tony
My /etc/sysconfig/iptables states at the top that editing of it is not recommended. Yeah, I don't always follow such recommendations myself, but is there perhaps another way more in keeping with the sense of the application?
Yeah, editing directly can be risky, nothing worse than making a change only to find that access to your server just disappeared and you need to get in front of it to reset via the console.... I use webmin for most of my edits, only make it accessible from the LAN and not the WAN. You can always tunnel the :10000 port via ssh and access securely from a remote location. The webmin console is left open while I test, thus I have not yet tripped up on this though I can imagine it is not fool proof. HTH Rob
Rob,
Sounds like you've thought through the process and have a well-planned strategy for failure-prevention. Cool.
I checked my port 10000 (ssh -p 10000 ...) and found it not available ("Connection refused"). So in what sense, or how, can I always tunnel it?
tnx.
You can use iptables to insert and delete rules in the running instance, and after testing you can save the new set up.
The syntax is:
iptables -I $TABLE_NAME $POS -s $SRC_IPS -m state --state NEW -p tcp --dport 5901 -j ACCEPT
The default TABLE_NAME is "RH-Firewall-1-INPUT" for CentOS
You can figure out the POS you want by running
iptables -L which dumps the rules on the screen
The SRC_IPS are the machine(s) you want to grant access to.
If you mess up, you can just restart iptables and you'll be back to where you were. These changes are not permanent. If you're working remotely, you can set up a cron job to restart iptables at some sensible interval so you won't be locked out until you have physical access to the machine.
Once you're satisfied the new rules are working right, you can use the iptables script in /etc/init.d to save the new config. And don't forget to get rid of the cron job above.
Take a look at iptables-restore and iptables-save, too.
Barry