Outgoing connections from dedicated server denied with iptables shut off

Question

I have a peculiar problem with my dedicated webserver. It's running CentOS and uses PLESK for administration through web.

I noticed the problem in the title when trying to update plugins in wordpress aswell as wordpress itself. When trying to update a plugin or wordpress it throws me this error:

"Download failed.: Failed to connect to 72.233.56.139: Permission denied"

First thing I did was to apply a rule (in the PLESK firewall) that allowed both incoming and outgoing traffic to the IP, but to no avail. I further investigated this by SSHing into the server and checking the iptables, which has the following outgoing rules:

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02     reject-with tcp-reset
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            72.233.56.138
ACCEPT     tcp  --  0.0.0.0/0            72.233.56.138
ACCEPT     udp  --  0.0.0.0/0            72.233.69.88
ACCEPT     udp  --  0.0.0.0/0            72.233.69.89
ACCEPT     udp  --  0.0.0.0/0            66.135.58.62
ACCEPT     udp  --  0.0.0.0/0            66.135.58.61
ACCEPT     tcp  --  0.0.0.0/0            72.233.69.88
ACCEPT     tcp  --  0.0.0.0/0            72.233.69.89
ACCEPT     tcp  --  0.0.0.0/0            66.135.58.62
ACCEPT     tcp  --  0.0.0.0/0            66.135.58.61
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

The other IPs are for the Akismet anti-spam filter which is also not working (it cannot connect to the akismet servers).

I contacted my host and they looked into it, but the reply I got was that they didn't know (!) what caused the problem and said I needed to figure it out myself.

First thing I tried was to stop iptables and opening up everything, but I still get permission denied on outgoing traffic (incoming is allowed and works perfectly as people can comment/spam like crazy on my blog).

Does anyone know what I could try to further troubleshoot this? It seems very strange that the traffic is still blocked even though the firewall is completely (?) shut down using "iptables stop".

Answer 1

Of all things, I eventually found out that the problem was caused by selinux which was set to "enforced". I changed it using

# nano -w etc/sysconfig/selinux 

And changing the line "SELINUX=enforcing" to "SELINUX=permissive" and reboot my server. Now everything is working as it's supposed to.

Answer 2

take this stop firewall script; it works.

#! /bin/bash

# In order to flush all iptables rules , Run the following commands :

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT

Answer 3

I had the same problem and your solution did work. However, the solution I found here https://unix.stackexchange.com/questions/8854/how-do-i-configure-selinux-to-allow-outbound-connections-from-a-cgi-script was able to fix it as well without the need of completely disabling the SELinux firewall features.