How do I configure my Linux Fedora 12 firewall to be reasonably secure while serving up external web requests to my Apache 2 web server?

Hello,

My LAN operates at 192.168.1.xxx.

My Fedora 12  Linux box running Apache 2 is located at 192.168.1.99 (static IP).

When I'm physically on this Fedora 12 Linux box, I'm able to use Firefox to successfully display the Fedora Web Test Page by navigating to either: http://192.168.1.99/  OR   http://myhost.mydomain/

PROBLEM IS...This does not work on any other machine on my network.

Therefore, I *suspect* that my Linux "firewall" needs to be reconfigured to accept external requests.

QUESTION...What do I need to do to get my Linux-Apache machine serving up web pages to other machines on the same network?
SqueezeOJAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sukamtoCommented:
look into your /etc/httpd/conf/httpd.conf
make sure the "Listen" part is including your LAN Network
0
sukamtoCommented:
or to open firewall http port, try below.

iptables -A INPUT -p tcp --dports 80 -j ACCEPT
service iptables save

if possible, post your iptables status with command :
service iptables status

0
AsrCommented:
Hi,
you need to allow all related connection using iptables state modules. try this one.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

SqueezeOJAuthor Commented:
Thank you for your quick responses.  I will try your solutions this afternoon (Eastern US Time) - and get back with what I find.
Jason
0
SqueezeOJAuthor Commented:
Here's what I found...(I ran all commands after su-ing)

______Sukamto______

gedit /etc/httpd/conf/httpd.conf shows this for listen:

#Listen 12.34.56.78:80
Listen 80
iptables -A INPUT -p tcp --dports 80 -j ACCEPT

Returns Error:  iptables v1.4.5: unknown option `--dports'

______Asr______

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Runs without Error but didn't solve problem

______Everyone______

Problem still persists.  

Cannot use another LAN computer to display web page on the Linux Apache box.  The connection simply times out.

I am able to successfully PING the Linux Apache box at 192.168.1.99 from other LAN computers.

I will post results of service iptables status in next post



0
SqueezeOJAuthor Commented:
Results of service iptables status...

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination  
0
sukamtoCommented:
sorry typos, should be --dport, not --dports
pls try this :

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
service iptables save

then post result of " service iptables status " again if still error
0
SqueezeOJAuthor Commented:
Hi Sukamto,

Problem still persists.  PING works fine but http://192.168.1.99 and http://192.168.1.99:80 both say "Connection has timed out".  Here is the out put from my terminal:

>> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>> service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
>> service iptables status

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

What should I do next?

Thanks for your time!

Jason
0
SqueezeOJAuthor Commented:
Problem Solved!  Here's what I did...

  • System --> Administration --> Firewall
  • Type in Root Password
  • On Trusted Services Tab I selected the following Ports:
  • WWW (HTTP) - 80 / tcp
  • Secure WWW (HTPS) - 443 / tcp
  • Click theApply button and Confirmed my Changes
  • Went to another PC on the LAN and tested it.  It worked fine!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.