?
Solved

Linux firewall configuration

Posted on 2013-01-25
5
Medium Priority
?
402 Views
Last Modified: 2013-02-08
I am running into some issues with fedora firewall. I installed httpd and i can access the server just fine if i disable the iptables vi service iptables stop. But thats not the desired action, i would like to have the firwall running and permit http and https traffic as well as ssh2 traffic to pass thru firewall

here is what i currently have

# Generated by iptables-save v1.4.12.2 on Fri Jan 25 19:07:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [79:8916]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jan 25 19:07:36 2013

if i do a "iptables -L" i get the below, i restarted and stoped the service several times with no luck
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
Comment
Question by:AlexPonnath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 38820065
So what seems to be the problem?

Let me guess.  Looks like it allows everything.
The reason is
ACCEPT     all  --  anywhere             anywhere

which is the third rule.  It allows everything.

You have to modify /etc/sysconfig/iptables file and restart your
service iptables restart

When you issue commands, you need to do first
service iptables save
service iptables restart
0
 

Author Comment

by:AlexPonnath
ID: 38844945
reread my post, i said it does not allow http or https traffic if iptables is running so your comment does not address the issue
0
 
LVL 31

Expert Comment

by:farzanj
ID: 38845034
I reread and it doesn't say it didn't let those protocols pass through.  You said you like to allow them, but  I am encouraged by your clarification though after a week of anticipation.

Regarding the issue, your firewall rules are little out of sequence.  It should be all allows before deny rules.  For STATEs, it should be NEW,ESTABLISHED,RELATED all together.

When you say all protocols from anywhere to anywhere, it should allow it.  My guess is that it is NOT a firewall issue.

I would check the logs for any message when connections get blocked.  To make troubleshooting easy, you should first save your rules as backup, then flush firewall and also stop the service.  If it still doesn't let your traffic flow, you would know it is not a firewall issue.  It could be something else, perhaps TCP wrappers or anything else.

Save rules.

cp /etc/sysconfig/iptables /location/iptables.bak
iptables -F
service iptables stop
0
 

Accepted Solution

by:
AlexPonnath earned 0 total points
ID: 38849828
i solved the issue but again your comment did not help. And if you read correctly, i said vlearly that with iptables disabled it works and with enabled it doesnt. So uit had to do with the rules. No need to further comment here since i solved the issue.
0
 

Author Closing Comment

by:AlexPonnath
ID: 38867432
other person did not provide any relevant information to the issue which helped to resolve the problem.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question