CentOS : Is the port-5432 for me not accessible via internet?

Question

We installed a new CentOS server for testing and the configuration was a bit different as compared to debian. I am unsure at this moment if the port-5432 is secure for us. If not, how can I secure port-5432 running postgresql so that it's not accessible from internet. Although I remember adding a rule for port-5432, I cannot see it in Iptables.

This is not a debian system.

Iptables -S :

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


netstat -tulpn | grep 5432
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2938/postgres       
tcp6       0      0 ::1:5432                :::*                    LISTEN      2938/postgres

@l0b0 the suggested duplicate seems to be very Debian-centric, and so doesn't necessarily apply to CentOS. Does it? — Chris Davies, Mar 20 '18 at 12:45
@l0b0 : This is centos, not debian, I dont even have that file mentioned in that question. — We are Borg, Mar 20 '18 at 12:57
Using the answer of bahamat the /etc/iptables/rules will be on Centos /etc/sysconfig/iptables — GAD3R, Mar 20 '18 at 17:49

score 1 · Accepted Answer · answered Mar 20 '18 at 12:55

If you run netstat -tulpn | awk 'NR==2 || /:5432/' instead of your netstat ... grep you get the column headings too:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2938/postgres
tcp6       0      0 ::1:5432                :::*                    LISTEN      2938/postgres

Looking at the Local Address column you can see that postgres is listening only on the loopback address (127.0.0.1). On this basis you can be reassured that it will not accept requests from any other system.

The firewall rule that you mentioned, to block this port, is clearly not present in the current ruleset so it may be that you didn't ensure it was saved (iptables rules do not persist over a reboot unless you have saved them first). According to the CentOS Wiki the correct method for saving rulesets is /sbin/service iptables save.

I have never rebooted the system. Its a server. As you said, I can see the local-address. Still, I executed iptables save command. Thank you. This is the only information I needed. :D — We are Borg, Mar 20 '18 at 13:00

CentOS : Is the port-5432 for me not accessible via internet?

1 Answers1