Allow incoming ICMP and SSH

Issues related to configuring your network
Post Reply
VeeDub
Posts: 39
Joined: 2019/12/21 02:34:05

Allow incoming ICMP and SSH

Post by VeeDub » 2019/12/21 02:50:09

Hello,

I'm a Linux newbie and I'm trying to setup CentOS to do some testing.

I'm aware that CentOS v8 is the latest environment, but my hardware is old and v8 doesn't have the disk drivers where v7 does.

I've configured a static IP on the Centos host and have basic network connectivity (can ping and access yum / Internet)

I've installed and configured SSH but cannot connect to the host and I can't ping it either.

I would appreciate it if someone can explain how to configure the firewall to allow
  • incoming ICMP
    SSH
I've read a number of documents that talk about iptables, firewall-d

I just want to find a straight-forward explanation that applies to Centos v7

Thanks
VW

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Allow incoming ICMP and SSH

Post by TrevorH » 2019/12/21 14:36:49

CentOS 7 is fine, it's stable and supported for nearly 5 more years.

What's the output from systemctl status firewalld ? If that says "not found" then how about the output from iptables-save ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

VeeDub
Posts: 39
Joined: 2019/12/21 02:34:05

Re: Allow incoming ICMP and SSH

Post by VeeDub » 2019/12/21 20:58:17

Hello Trevor

Code: Select all

[root@localhost ~]# systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-12-22 07:36:49 AEDT; 8min ago
     Docs: man:firewalld(1)
 Main PID: 1862 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─1862 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Dec 22 07:36:46 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 22 07:36:49 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.

Code: Select all

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sun Dec 22 07:51:04 2019
*nat
:PREROUTING ACCEPT [740:125795]
:INPUT ACCEPT [5:1096]
:OUTPUT ACCEPT [74:5425]
:POSTROUTING ACCEPT [74:5425]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o em1 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Dec 22 07:51:04 2019
# Generated by iptables-save v1.4.21 on Sun Dec 22 07:51:04 2019
*mangle
:PREROUTING ACCEPT [1122:158904]
:INPUT ACCEPT [618:102800]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [354:87916]
:POSTROUTING ACCEPT [375:90503]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Dec 22 07:51:04 2019
# Generated by iptables-save v1.4.21 on Sun Dec 22 07:51:04 2019
*security
:INPUT ACCEPT [408:34892]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [408:93891]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sun Dec 22 07:51:04 2019
# Generated by iptables-save v1.4.21 on Sun Dec 22 07:51:04 2019
*raw
:PREROUTING ACCEPT [1168:165148]
:OUTPUT ACCEPT [397:93311]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i em1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Dec 22 07:51:04 2019
# Generated by iptables-save v1.4.21 on Sun Dec 22 07:51:04 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [355:88404]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i em1 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o em1 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i em1 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -p icmp -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
COMMIT
# Completed on Sun Dec 22 07:51:04 2019
[root@localhost ~]#
I made some progress since my original post in that I found this article which helped me to get iptables working
https://mellowhost.com/blog/linux-asser ... rvice.html

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: Allow incoming ICMP and SSH

Post by tunk » 2019/12/21 21:12:03


User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Allow incoming ICMP and SSH

Post by TrevorH » 2019/12/21 23:29:44

If you want to use firewalld then you need to learn the firewall-cmd command not iptables. Firewalld manages iptables for you (in el8 it's nftabbles not iptables). Don't try to amend rules using iptables if you are running firewalld - it will spot the changes and undo them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Allow incoming ICMP and SSH

Post by jlehtone » 2019/12/22 08:41:37

You (at least did) have firewalld running. That is what default install does.
Your interface 'em1' is in firewall zone 'public'. That is what default install does.
Firewall zone 'public' allows incoming ssh and ICMP.

Default install does include ssh client and server.
You have libvirt running. libvirt is installed by default desktop install.

In other words, ssh and ping should work "out of the box". If they don't, the culprit is most likely something else than your firewall.

Post Reply