Hello....I'm new to newsgroups and this is my very first post. I need to know how to open up port 5432 using iptables to allow me to connect to our postgres server (Fedora Linux) with pgAdmin.
Thanks, renz
Hello....I'm new to newsgroups and this is my very first post. I need to know how to open up port 5432 using iptables to allow me to connect to our postgres server (Fedora Linux) with pgAdmin.
Thanks, renz
Am Tue, 22 Nov 2005 13:59:32 -0800 schrieb renz:
Just like allowing any other tcp connection to whatever port when using iptables.
man iptables
and maybe concerning pg_hba.conf:
Do note, though, that if pgAdmin is on the same host, no port needs to be opened. Unless you are paranoid enough to filter loopback...
Joachim
NO, pgAdmin is not on the same host.
I added these to my iptables, applied the rule, then restarted iptables:
iptables -A INPUT -p tcp --source 192.168.1.0/24 --syn --dport 5432 -j ACCEPT iptables -A INPUT -p udp --source 192.168.1.0/24 --dport 5432 -j ACCEPT
but when I ran nmap to check, this is the result I get:
PORT STATE SERVICE
22/tcp open ssh 37/tcp open time 111/tcp open rpcbindrenz
Please post the output of iptables -nvL
and after that trust me and do something like:
# Quick and easy stateful filtering to overcome all problems with answer # packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow Postgres iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 5432 -m state \\
--state NEW -j ACCEPT
Doesn't say anything, unless you can be sure that 5432 was is the range that nmap scanned
what does telnet 5432 say?
you should some sort of protocol like in this example:
---8 telnet work6 5432 Trying 192.168.1.6... Connected to work6. Escape character is '^]'. quit EFATAL: invalid length of startup packet Connection closed by foreign host.
---8
Care to provide some details on the network? Which host is running pgAdmin, which host is running iptables, and which one is running postgres?
Which options did you use for this scan? Is postgres even running on the host you scanned? What's the output of "netstat -ntl" on that host?
cu
59cobalt
Those rules look funky. Why do you not allow non-SYN TCP? And why allow UDP at all?
If you do outbound filtering, you'll also want some rules for that...
I'm guessing, if the above is not a typo, that nmap -sS -p 5432 will report the port as open...
Joachim
Here the output of iptables -nvL:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
29094 3828K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2728 176K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 18890 packets, 1733K bytes) pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination
10005 419K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 280 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 4907 994K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 293 17568 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 16612 2574K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Connecting to 192.168.1.110...Could not open a connection to host on port 5432 : Connect failed
I'll try your suggested rules tomorrow at work renz
Am Wed, 23 Nov 2005 17:31:52 -0800 schrieb renz:
Well, policies are ACCEPT but ...
OK, everything via loopback interface allowed ...
Accept some IMCP stuff:
Accept IPSeC (VPN stuff)
What might that be? /etc/services says Mulicast DNS, strange, anyhow ...
Well ipp, but that is usually tcp ...
This accepts all answers packets
Allows ssh acces to the box
And the everything else is forbidden, so obviously the postgres service is not reachable
So your rules are obvioulsly wrong ...
No wonder when you look at the loaded ruleset.
As we know fom the iptables -nvL output yu posted your rules are not correct (the rules I posted yesterday will do) but besides that there is another thing you should have in mind: Postgres might not be listening. You can easily check this with netstat -an (you should see tcp port 5432 in listen state) or do a
ps ax
as root.
If you see the postmaster process without -i option like in:
6136 pts/1 S 0:00 /usr/bin/postmaster -D /var/lib/pgsql/datayou have to change the start options for the postgres daemon and make sure that it is started with the -i flag (and maybe -F). I don't you Fedora and therefore I'm not sure where configure this but finding that out yourself should not be a great problem. After restarting the daemon
ps ax will produce an output like:
6136 pts/1 S 0:00 /usr/bin/postmaster -D /var/lib/pgsql/data -iAnd with the correct iptables rules, everything will be fine.
Wolfgang
I'm making progress...I can see port 5432 now when I run the nmap command... but it says closed, as well as ports 53 & 80......I probably need to check the order of the rules..
renz
Am Thu, 24 Nov 2005 14:09:05 -0800 schrieb renz:
Just look at your ruleset with iptables -nvL. It shows you the ruleset that is loaded and any packet passes through that ruleset until it reaches one of the final targets.
Final targets are ACCEPT, DROP an REJECT. Non final targets for packets are LOG and any self-defined chains while ACCEPT, DROP and REJECT are again the final targets for those self-defined chains.
I'm pretty sure that you'll eventually figure it out. :-)
Wolfgang
host running pgAdmin is a Windows 2003 SBS server, and host running iptables and postgres is a Fedora Core release 3 (Heidelberg) Kernel
2.6.9-1.667 on an i686 ...I'm trying to setup a BACKUP postgres server in case the current one goes down.I didn't use any options. Yes, postgres is running on this host. output of netstat -ntl:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address Stat e tcp 0 0 0.0.0.0:32769 0.0.0.0:* LIST EN tcp 0 0 0.0.0.0:37 0.0.0.0:* LIST EN tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST EN tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIST EN tcp 0 0 127.0.0.1:25 0.0.0.0:* LIST EN tcp 0 0 :::22 :::* LIST EN renz
Your Postgres (like mine on this test machine) is only listening on the loopback interface, thus it is not reachable from external clients ...
zaphod:~ # rcpostgresql start Initializing the PostgreSQL database at location /var/lib/pgsql/data done Starting PostgreSQL done zaphod:~ # netstat -ntl
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN ^^^^^^^^^^^^^^
loopback only
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::1:5432 :::* LISTEN ^^^^^^^ ipV6 stuff, doesn't amtter here tcp 0 0 ::1:25 :::* LISTEN
zaphod:~ # ps ax | grep postmaster
15891 pts/1 S 0:00 /usr/bin/postmaster -D /var/lib/pgsql/dataOK, the -i option is missing (I already told you to check this on your box, so we have to change this, however this is a SuSE box and on Fedora the configuration/file to edit will probably be different, anyhow I have to edit /etc/sysconfig/postgresql:
# SuSE default setting ... # POSTGRES_OPTIONS="" # SuSE default changed to: POSTGRES_OPTIONS="-iF"
zaphod:~ # rcpostgresql start Starting PostgreSQL done
zaphod:~ # netstat -ntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN ^^^^^^^^^^^^^^
Well, there we are, that is what you need to see if you want your remote clients to be able to communicate with the PostgreSQL server, after that take care about the iptables rules.
Concerning the options please do a
man postmaster
on your box.
Wolfgang
You're welcome ;-)
Is it in your internal network? That would be fine. Then this will do:
iptables -A $CHAIN -p tcp -s $INTERNAL_NET --dport 5432 -d $POSTGRES_SERVER \\ -j ACCEPT
(see man iptables)
Is it through the Internet? Don't do it! Better use i.e. ssh with port forwarding for having a crypto tunnel.
Yours, VB.
Thanks everyone for helping me, especially to Wolfgang.....I just need to add the -i option in postgres.....either that or reinstall postgres, instead of working with somebody else's installation.
renz
Wolfgang Kueter wrote:
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.