I'm new to servers and iptables. I have a web app (happens to be bugzilla) running on my Centos 6.7 apache/httpd server, and it attempts to connect out to the web (updates.bugzilla.org) via port 80. It also attempts to connect out (to smtp.gmail.com) using port 465. However, it cannot. This is in spite of having a default output policy of ACCEPT and having opened the relevant ports for input.
I'm not sure where to go from here. Where should I look to begin troubleshooting this? What are the likely culprits?
Some output:
$ service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
AND:
iptables -L -v
Chain INPUT (policy ACCEPT 881 packets, 106K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
436 183K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 348 packets, 56741 bytes)
pkts bytes target prot opt in out source destination
I'm hopeful that it is not a bugzilla or centos-specific thing, as I have accomplished a successful bugzilla install on ubuntu desktop, although that was while using ubuntu's ufw (I think I also tried it with iptables, but would have to try again to verify).
For those web searching and seeing this at a later date, it turns out this was a SELinux issue! Needed to enable the boolean 'httpd_can_network_connect' (for others, use 'getsebool -a').
Answer
Try this:
service iptables save
service iptables stop
chkconfig iptables off
Boom, no firewall. Test again.
Try using telnet to test that port:
telnet updates.bugzilla.org 80
Once connected with telnet, type "get" and see if there's a response.
Example:
# telnet updates.bugzilla.org 80
Trying 63.245.223.29...
Connected to updates.bugzilla.org.
Escape character is '^]'
get
400 Bad Request
400 Bad Request
nginx/1.0.15
Connection closed by foreign host.
Didn't work?
Try tcptraceroute to see where it gets blocked:
tcptraceroute updates.bugzilla.org 80
Could there be something else blocking ports? A firewall, router, ISP?
No comments:
Post a Comment