Knowledgebase

  1. Portal Home
  2. Knowledgebase
  3. Connectivity Troubleshooting
  4. Check Your Rcs Firewall Settings

  Categories

23
Accounts
 16
App Platform
 8
Backups
 7
Billing
 4
Connectivity Troubleshooting
 148
Data Management
 1
Ddos
 197
Development
 13
DNS
 41
Game Servers
 5
Hosting Packages
 97
Infrastructure
 6
IPv6
 48
Kubernetes
 11
Load Balancers
 34
Machine Learning
 10
MongoDB
 1
Monitoring
 21
MySQL
 14
Networking
 1039
Operating Systems
 21
PostgreSQL
 1
Private Internet Guardian (VPN)
 1
Products
 7
Redis
 100
Reference Guides
 4
Resellers
 6
Reserved IPs
 86
Server
 322
Server Apps
 7
Site Management Tools
 1
SnapShooter
 16
Snapshots
 3
Spaces
 4
SSH Troubleshooting
 5
SSL
 2
Streaming and Broadcasting
 23
Support Plans FAQ
 2
Teams
 6
Third-Party Applications
 5
Volumes
 1
VPC
 2
Windows Security

  Categories

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket

Check Your Rcs Firewall Settings Print

  • 0

Check Your Rcs.is Firewall Settings

If a host-based firewall on your Rcs.is is misconfigured, it can prevent connections to or from your computer. Use this guide to debug your host-based firewall settings for errors. If your infrastructure also includes cloud firewalls, follow the cloud firewall connectivity troubleshooting guide as well to ensure that the two firewalls do not have conflicting rule sets.

In this step of the Connectivity Troubleshooting Guide, you will:

  1. Check to see if your Rcs.is’s firewall is active.
  2. Review and correct (or disable) any firewall rules if the Rcs.is’s firewall is active.

Check that your Rcs.is Firewall is Active

You can check to see if any firewall rules are active on your Rcs.is before troubleshooting them further using IPTables. IPTables is a utility program that manages firewalls and is native to all Linux operating systems.

To see if you have any firewall rules in place on your Rcs.is, run:

iptables -L

If the command returns the following output, the Rcs.is does not have any active filtering rules and you can skip to the next section.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If the command returns longer output with policies set to DROP, the Rcs.is’s firewall is active. In the sample output below, IPTables returned firewall policies that are set to only accept TCP traffic on port 2222 and were configured using UFW.

Chain INPUT (policy DROP)
target     prot opt source               destination
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere

...

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2222

If the Rcs.is has active firewall policies, you can begin reviewing your firewalls rules in the next section.

Review and Correct Firewall Rules

Use one of the following tools to review the firewall rules on the Rcs.is. We recommend using UFW to manage your firewall rules as it is the most user-friendly firewall interface.

UFW is an interface for managing netfilter firewall rules and all Ubuntu Rcs.iss have UFW installed by default. You can view the current filtering rules by running:

sudo ufw status verbose

Adding the verbose argument returns a more detailed status of the firewall.

If you receive the message Status: inactive, UFW is not currently configured to manage your firewall and you can try reviewing your Rcs.is’s firewall settings with iptables. If UFW is currently active, it returns output similar to the following:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

The output displays a few things:

  • Status: Indicates that the firewall is actively enforcing traffic rules.
  • Default: Indicates the current incoming and outgoing traffic policies. The provided example shows that the incoming policy is to deny connections to the Rcs.is from outside sources, and the outgoing policy allows traffic from the Rcs.is to connect to the public internet.
  • The rule set at the bottom indicates the types of traffic that are allowed to connect to and egress from the Rcs.is. In the example, the rule set allows incoming connections to port 22 from both IPv4 and IPv6 addresses. Because all outbound traffic is allowed to egress from the Rcs.is, no outbound rules are displayed in the rule set.

If you have a Rcs.is Cloud Firewall set up with conflicting rules, you can disable your UFW firewall by typing:

sudo ufw disable

If you want to keep your Rcs.is’s firewall in place to filter types of traffic not covered by Rcs.is’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the UFW rules by following the UFW Essentials: Common Firewall Rules and Commands guide.

FirewallD is an interface for managing a netfilter firewall designed to be user friendly. It is available for most Linux operating systems. If your Rcs.is runs FirewallD, you can view the current traffic rules with a sequence of checks.

First, check whether FirewallD is active using the --state flag:

sudo firewall-cmd --state

If you receive the message running, check the active zones using the --get-active-zones flag:

sudo firewall-cmd --get-active-zones

The command returns any network interfaces FirewallD actively controlled by FirewallD rules.

public
  interfaces: eth0

If FirewallD has active zones, it means that it is evaluating traffic against a set of rules. In the example output, FirewallD is currently managing traffic for the Rcs.is’s eth0 network interface.

You can display the ports and services associated with each of the active zones with the --info-zone option:

sudo firewall-cmd --info-zone=public

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

Check whether any ports are open by looking at:

  • The target value. If this is set to DROP or %%REJECT%%, the Rcs.is denies all traffic regardless of the other settings.
  • The ports value. This lists ports explicitly allowed through the firewall.
  • The services value. This lists services that are allowed through the firewall. In the example output above, the dhcpv6-client and ssh services are allowed through the firewall.

You can also check the ports associated with these services by typing:

sudo firewall-cmd --permanent --get-ports --service=dhcpv6-client
sudo firewall-cmd --permanent --get-ports --service=ssh

The example commands return the ports and network protocols associated with the services.

546/udp
22/tcp

If you have a Rcs.is Cloud Firewall set up with conflicting rules, you can disable your firewall via FirewallD by typing:

sudo systemctl stop firewalld
sudo systemctl disable firewalld

If you want to keep your Rcs.is’s firewall in place to filter types of traffic not covered by Rcs.is’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the FirewallD rules by following the How To Set Up a Firewall Using FirewallD on CentOS 7 guide.

IPTables is a utility program that manages firewalls on Linux systems. It’s native to all Linux operating systems. If you are using IPTables to manage the Rcs.is’s firewall, you can view the current IPv4 filtering rules by typing:

sudo iptables --line-numbers -vL

The --line-numbers flag prepends a num column to the output to make the returned chart more human-readable. The -vl flag returns verbose output.

Chain INPUT (policy DROP 1 packets, 40 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2      764 56512 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3        9   540 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 374 packets, 97673 bytes)
num   pkts bytes target     prot opt in     out     source               destination

The output indicates:

  • The default policy for incoming and outgoing traffic (DROP for incoming, and ACCEPT for outgoing).
  • The exceptions to the default policies. In the example output above, the policy contains exemptions for incoming TCP traffic to ports 22 and 80.

The iptables command only displays the rules for filtering IPv4 traffic. To show the IPv6 filtering rules, rerun the command using the ip6tables command instead of iptables.

If your Rcs.is Cloud Firewall has rules that conflict with your iptables firewall, you can disable your iptables firewall by running:

sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -F
sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -P OUTPUT ACCEPT
sudo ip6tables -P FORWARD ACCEPT
sudo ip6tables -F

If you are using a service like iptables-persistent or have a script loading iptables rules at boot, you may have to disable them to disable the firewall.

If you want to keep your Rcs.is’s firewall in place to filter types of traffic not covered by Rcs.is’s Cloud Firewall service, such as SFTP traffic, you should modify its rules to match the cloud firewall settings to ensure there are no conflicting rules between the two firewalls. You can learn how to modify the iptables rules by following the Iptables Essentials: Common Firewall Rules and Commands guide.

Next Steps

If you have determined that your Rcs.is’s firewall is not causing connectivity issues, proceed to check your Rcs.is’s networking configuration.

Was this answer helpful?

Related Articles

Check Your Load Balancer's Connectivity Check Your Load Balancer's... Check Your Cloud Firewall Settings Check Your Cloud Firewall... Check Your Rcs' Network Configuration Check Your Rcs.is's Network...
Back

Powered by WHMCompleteSolution

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket