Обсуждение: Port blocked by iptables firewall

I just installed a new Red Hat 9 server with PostgreSQL 7.2-3.

After enabling tcpip_sockets (true) in postgresql.conf and restarting
the postmaster, I was not able to connect to the server remotely,
apparently because the port (5432) was not being responded to.

Using a working server I would use #psql -h hostname -d my_db_name -U
my_username

The response was
could not connect to the server: connection refused
Is the server running on host xxx.xxx.xxx.xxx and accepting
TCP/IP connections on port 5432?

Yes the server was running. I could use it via localhost. I even used
#nmap -sT -O localhost
where the port showed open.

I found RH9 seems to have upgrade its security using iptables instead of
ipchains -- and the default security level (high) was keeping me out. I
did not want to completely drop my security level (a test of dropping it
to medium and using configure opened too much stuff).

The trick seems to be to either use lokkit (gnone-lokkit in GUI) or hand
code iptables rules. The lokkit utilities are making changes to the
/etc/sysconfig/iptables file, which in-turn work with the firewall to
intercept packets as they going to or coming from NICs.

Hand coding iptables rules is not recommended for newbies.
The man iptables and iptables --help are essential. There are some
helpful links at
www.redhat.com/support/resources/networking/firewall.htm

iptables --list, is a pretty safe start

I just used lokkit and chose Customize. I included 5432 in the optional
ports area.

I had not seen any posting on this topic, so I thought I'd share.

"Greg Campbell" <greg.campbell@us.michelin.com> writes:
> [ Red Hat 9 blocks external port-5432 traffic by default ]

Yeah.  This was true in Red Hat 8 as well.  I'm not sure whether other
distros are equally paranoid, but Red Hat locks down most ports by
default ...

            regards, tom lane

I understand the locked down ports thing. I am now surprised that I
didn't have this problem in RH8.

For some reason when I installed PostgreSQL on my RH8 machines, using
the RPM I did not run into this particular problem as I recall. (This
time both RH9 and PostgreSQL were factory installed on a DELL server). I
don't remember changing/adjusting the Linux Security Levels. My  RH8
doesn't seem to be using iptables, there is no /etc/sysconfig/iptables
file.

So I think use the System Tools ->Security Level administrator is doing
something different under the hood now. While my RH8 install has a
iptables executable, it seems to have nothing (empty files) to work
against. I believe it is managing the older ipchains security. For
curiosity sake, what did you do in RH8 to open up port 5432? Does lokkit
function against both systems?


Tom Lane wrote:
>
> "Greg Campbell" <greg.campbell@us.michelin.com> writes:
> > [ Red Hat 9 blocks external port-5432 traffic by default ]
>
> Yeah.  This was true in Red Hat 8 as well.  I'm not sure whether other
> distros are equally paranoid, but Red Hat locks down most ports by
> default ...
>
>                         regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

"Greg Campbell" <greg.campbell@us.michelin.com> writes:
> So I think use the System Tools ->Security Level administrator is doing
> something different under the hood now. While my RH8 install has a
> iptables executable, it seems to have nothing (empty files) to work
> against. I believe it is managing the older ipchains security. For
> curiosity sake, what did you do in RH8 to open up port 5432?

I may be mistaken about this; I remember having had to open up 5432
on one of my Linux systems, but it may not have been the RH8 box.
/etc/sysconfig/ipchains is the controlling file there, and what I have
saved as the "original" version doesn't look like it would block 5432.

(It did block a bunch of other stuff that I found unhelpful, such as
NFS mounts and telnet; which is reasonable for a machine with a direct
connection to the 'net, but not what I wanted for a machine behind a
firewall...)

> Does lokkit
> function against both systems?

FWIW, the ipchains file says "# Firewall configuration written by lokkit"
but I prefer hacking config files directly to relying on undocumented
security tools, so I ignored that.

            regards, tom lane