0

So I'm trying to setup a spacewalk server on centos 6.8 but it keeps on hanging up on restarting services to install cobbler. It'll just keep going and going without ever making any progress. Finally I changed my iptables policies for input and output to accept, and the installation process finally finished succesfully. But I'm not happy with that. I want to be able to successfully install spacewalk without having to accept all connections, except for those truly necessary for spacewalk to work. Keep in mind I am a complete newbie to servers and to iptables in general, so I'm sorry for the messy policies :(

These are my policies:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 69 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

EDIT: TLDR I needed to open connections for the loop back interface

For anyone who ever has the same problem: I added the ports Diogenes made me aware of for cobbler. Unfortunately that didn't fix the problem. As per his second suggestion, I tried to install with the non-working iptables configuration and used "netstat -aln" and saved it to a file. Then I changed the policies to ACCEPT and successfully installed spacewalk and ran netstat again. Then I took the two files and compared them and found that the problem was that 127.0.0.1 wasn't communicating properly. As soon as I added the interface to iptables, spacewalk installed succesfully with the iptable configuration that I wanted (including the default DROP policies).

Shelby M.
  • 3
  • 2

1 Answers1

0

Looks like Cobbler requires ports 25150 and 25151. From the Reference Guide for Cobbler, Section 11.1.1 (Using Cobbler check):

iptables — Will remind you that if you are running an IPTables firewall, that you have rules set to allow ports 69 (TFTP), 80 (HTTPD), 25150 and 25151 (Cobbler).

Run the cobbler check command as root on your system to see what settings and services need to be enabled to properly run Cobbler on your boot server.

With your firewall rules temporarily disabled, you can use netstat -aln or lsof -i to list ports that have attached listeners. That might show you other ports that need to be open for the services you're running.

Diogenes deLight
  • 450
  • 3
  • 7