Re: open port 5432 for postgres

From: renz (rene.renesanz_at_gmail.com)
Date: 11/24/05


Date: 24 Nov 2005 14:09:05 -0800


Wolfgang Kueter wrote:
> Am Wed, 23 Nov 2005 17:31:52 -0800 schrieb renz:
>
>
> > Here the output of iptables -nvL:
> >
> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 29094 3828K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 2728 176K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain OUTPUT (policy ACCEPT 18890 packets, 1733K bytes)
> > pkts bytes target prot opt in out source
> > destination
>
> Well, policies are ACCEPT but ...
>
>
> > Chain RH-Firewall-1-INPUT (2 references)
> > pkts bytes target prot opt in out source
> > destination
>
> OK, everything via loopback interface allowed ...
>
> > 10005 419K ACCEPT all -- lo * 0.0.0.0/0
> > 0.0.0.0/0
>
> Accept some IMCP stuff:
>
> > 5 280 ACCEPT icmp -- * * 0.0.0.0/0
> > 0.0.0.0/0 icmp type 255
>
>
> Accept IPSeC (VPN stuff)
>
> > 0 0 ACCEPT esp -- * * 0.0.0.0/0
> > 0.0.0.0/0
> > 0 0 ACCEPT ah -- * * 0.0.0.0/0
> > 0.0.0.0/0
>
> What might that be? /etc/services says Mulicast DNS, strange, anyhow ...
>
> > 0 0 ACCEPT udp -- * * 0.0.0.0/0
> > 224.0.0.251 udp dpt:5353
>
> Well ipp, but that is usually tcp ...
>
> > 0 0 ACCEPT udp -- * * 0.0.0.0/0
> > 0.0.0.0/0 udp dpt:631
> > 4907 994K ACCEPT all -- *
>
> This accepts all answers packets
>
> * 0.0.0.0/0
> > 0.0.0.0/0 state RELATED,ESTABLISHED
> > 293 17568 ACCEPT tcp -- * * 0.0.0.0/0
>
> Allows ssh acces to the box
>
> > 0.0.0.0/0 state NEW tcp dpt:22
>
> And the everything else is forbidden, so obviously the postgres
> service is not reachable
>
> > 16612 2574K REJECT all -- * * 0.0.0.0/0
> > 0.0.0.0/0 reject-with icmp-host-prohibited
>
> So your rules are obvioulsly wrong ...
>
> >> what does telnet <destination_ip> 5432 say?
> >
> > Connecting to 192.168.1.110...Could not open a connection to host on
> > port 5432 :
> > Connect failed
>
> No wonder when you look at the loaded ruleset.
>
> As we know fom the iptables -nvL output yu posted your rules are not
> correct (the rules I posted yesterday will do) but besides that there is
> another thing you should have in mind: Postgres might not be listening.
> You can easily check this with netstat -an (you should see tcp port 5432
> in listen state) or do a
>
> ps ax
>
> as root.
>
> If you see the postmaster process without -i option like in:
>
> 6136 pts/1 S 0:00 /usr/bin/postmaster -D /var/lib/pgsql/data
>
> you have to change the start options for the postgres daemon and make
> sure that it is started with the -i flag (and maybe -F). I don't you
> Fedora and therefore I'm not sure where configure this but finding
> that out yourself should not be a great problem. After restarting the
> daemon
>
> ps ax will produce an output like:
>
> 6136 pts/1 S 0:00 /usr/bin/postmaster -D /var/lib/pgsql/data -i
>
> And with the correct iptables rules, everything will be fine.
>
> Wolfgang

I'm making progress...I can see port 5432 now when I run the nmap
command... but it says closed, as well as ports 53 & 80......I probably
need to check the order of the rules..

                   renz



Relevant Pages