Solved

Selinux and port 80  openning problem

Posted on 2008-10-08
7
1,073 Views
Last Modified: 2013-12-16
HI ,
i have SElinux enalbed.

Currently this is my iptables -L

[root@workshop ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

now i have Added this rules :

iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT  --syn
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp -s 0/0 -d 0/0 --sport 80 -j ACCEPT

after this my iptables is like this

[root@workshop ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http flags:FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http

but still i cant telnet port 80 or cant open any webpage .

but if i flush iptables rules then i can access website

without flushing iptables , what else do i need to do ??

[ Note : after adding those rules i didnot save iptables, because i wanted to seee if those rules works or not, if those rules workes then i wanted to save iptables rules. what i am thinkign is , to make those rules works do i need to save first  ??( i dnot think so )]]



0
Comment
Question by:fosiul01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 20

Expert Comment

by:edster9999
ID: 22668009
Look at the order of the rules at the bottom.  It has gone in after the 'REJECT' which should be the last one.  This means if you hit this point and still have not found a matching rule then reject everything else.

The easiest way to get round this is to go and edit the iptables backup file.
(first make a backup of this file in case you mess it up)

This varies between distros so do a quick search for it.
From memory redhat puts it in
/etc/sysconfig/iptables
Copy and paste the lines you have just added above the reject and then reload it.

0
 
LVL 29

Author Comment

by:fosiul01
ID: 22668089
yap thats wokes!!!

so much to learn!!!

this Chain RH-Firewall-1-INPUT (2 references) rules, is this for selinux ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22668232
No not really....  
That bit is the chain name.  Think of it as a security layer.
Like garden gate, house door, room door.
You define what is allowed to get through each security level.
This is the main firewall level so most things are allowed / denied here.
It can be called anything (as long as all the references to it are changed).
The rule set was designed by RedHat util so that is why it is called that.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 29

Author Comment

by:fosiul01
ID: 22668329
omm the reason i am asking this

normaly ,  i used this command

iptables -A INPUT -p tcp --dport 80 -j ACCEPT and it does open 80 for every one.

but here this commadn didnot work

i had to use
iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT

why is that ??
0
 
LVL 20

Expert Comment

by:edster9999
ID: 22668850
Again think of it as in the above example.... layers of security to get to your pc.
Garden gate.....house door..... room door.....

A very basic setup has the firewall in one layer... INPUT
if this is the case you add the rule to that layer.

In your example above the rule inside input sends it straight onto the next layer RH-Firewall-1-INPUT.
So you now have a garden gate (INPUT) and a house door (RH-Firewall-1-Input)
If you add the rule to the INPUT chain then you are opening that port on the garden gate but the real firewall checks are being done at the Front door.  So your data will then come in and get blocked at the next layer resulting in no answer.

When you add it to the firewall level the traffic comes in gets forwarded on from the INPUT level and gets checked at the RH-Firewall level and gets through as you have opened port 80 (or the DNS port in a seperate question)

Hope this helps.....
Ed.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 22669025
Ok so you are saying here Rh-firewall chain wil work as room door ??
0
 
LVL 20

Accepted Solution

by:
edster9999 earned 500 total points
ID: 22669146
Yes.  
It is a layer inside INPUT

It is generally seen as a good system to keep all the firewall rules in a layer like this (called anything - it doesn't matter about the name but RF-Firewall is fine).
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux Samba using Kerberos to Auth from Active Directory 9 89
number in printf 13 42
How to change the nameserver on Ubuntu Server 6 71
plsql job on oracle 18 73
I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question