fosiul01
asked on
Selinux and port 80 openning problem
HI ,
i have SElinux enalbed.
Currently this is my iptables -L
[root@workshop ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
now i have Added this rules :
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT --syn
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp -s 0/0 -d 0/0 --sport 80 -j ACCEPT
after this my iptables is like this
[root@workshop ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:http
but still i cant telnet port 80 or cant open any webpage .
but if i flush iptables rules then i can access website
without flushing iptables , what else do i need to do ??
[ Note : after adding those rules i didnot save iptables, because i wanted to seee if those rules works or not, if those rules workes then i wanted to save iptables rules. what i am thinkign is , to make those rules works do i need to save first ??( i dnot think so )]]
i have SElinux enalbed.
Currently this is my iptables -L
[root@workshop ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
now i have Added this rules :
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT --syn
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp -s 0/0 -d 0/0 --sport 80 -j ACCEPT
after this my iptables is like this
[root@workshop ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:http
but still i cant telnet port 80 or cant open any webpage .
but if i flush iptables rules then i can access website
without flushing iptables , what else do i need to do ??
[ Note : after adding those rules i didnot save iptables, because i wanted to seee if those rules works or not, if those rules workes then i wanted to save iptables rules. what i am thinkign is , to make those rules works do i need to save first ??( i dnot think so )]]
ASKER
yap thats wokes!!!
so much to learn!!!
this Chain RH-Firewall-1-INPUT (2 references) rules, is this for selinux ??
so much to learn!!!
this Chain RH-Firewall-1-INPUT (2 references) rules, is this for selinux ??
No not really....
That bit is the chain name. Think of it as a security layer.
Like garden gate, house door, room door.
You define what is allowed to get through each security level.
This is the main firewall level so most things are allowed / denied here.
It can be called anything (as long as all the references to it are changed).
The rule set was designed by RedHat util so that is why it is called that.
That bit is the chain name. Think of it as a security layer.
Like garden gate, house door, room door.
You define what is allowed to get through each security level.
This is the main firewall level so most things are allowed / denied here.
It can be called anything (as long as all the references to it are changed).
The rule set was designed by RedHat util so that is why it is called that.
ASKER
omm the reason i am asking this
normaly , i used this command
iptables -A INPUT -p tcp --dport 80 -j ACCEPT and it does open 80 for every one.
but here this commadn didnot work
i had to use
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
why is that ??
normaly , i used this command
iptables -A INPUT -p tcp --dport 80 -j ACCEPT and it does open 80 for every one.
but here this commadn didnot work
i had to use
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
why is that ??
Again think of it as in the above example.... layers of security to get to your pc.
Garden gate.....house door..... room door.....
A very basic setup has the firewall in one layer... INPUT
if this is the case you add the rule to that layer.
In your example above the rule inside input sends it straight onto the next layer RH-Firewall-1-INPUT.
So you now have a garden gate (INPUT) and a house door (RH-Firewall-1-Input)
If you add the rule to the INPUT chain then you are opening that port on the garden gate but the real firewall checks are being done at the Front door. So your data will then come in and get blocked at the next layer resulting in no answer.
When you add it to the firewall level the traffic comes in gets forwarded on from the INPUT level and gets checked at the RH-Firewall level and gets through as you have opened port 80 (or the DNS port in a seperate question)
Hope this helps.....
Ed.
Garden gate.....house door..... room door.....
A very basic setup has the firewall in one layer... INPUT
if this is the case you add the rule to that layer.
In your example above the rule inside input sends it straight onto the next layer RH-Firewall-1-INPUT.
So you now have a garden gate (INPUT) and a house door (RH-Firewall-1-Input)
If you add the rule to the INPUT chain then you are opening that port on the garden gate but the real firewall checks are being done at the Front door. So your data will then come in and get blocked at the next layer resulting in no answer.
When you add it to the firewall level the traffic comes in gets forwarded on from the INPUT level and gets checked at the RH-Firewall level and gets through as you have opened port 80 (or the DNS port in a seperate question)
Hope this helps.....
Ed.
ASKER
Ok so you are saying here Rh-firewall chain wil work as room door ??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The easiest way to get round this is to go and edit the iptables backup file.
(first make a backup of this file in case you mess it up)
This varies between distros so do a quick search for it.
From memory redhat puts it in
/etc/sysconfig/iptables
Copy and paste the lines you have just added above the reject and then reload it.