Solved

Linux firewall configuration

Posted on 2013-01-25
5
389 Views
Last Modified: 2013-02-08
I am running into some issues with fedora firewall. I installed httpd and i can access the server just fine if i disable the iptables vi service iptables stop. But thats not the desired action, i would like to have the firwall running and permit http and https traffic as well as ssh2 traffic to pass thru firewall

here is what i currently have

# Generated by iptables-save v1.4.12.2 on Fri Jan 25 19:07:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [79:8916]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jan 25 19:07:36 2013

if i do a "iptables -L" i get the below, i restarted and stoped the service several times with no luck
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
Comment
Question by:AlexPonnath
  • 3
  • 2
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 38820065
So what seems to be the problem?

Let me guess.  Looks like it allows everything.
The reason is
ACCEPT     all  --  anywhere             anywhere

which is the third rule.  It allows everything.

You have to modify /etc/sysconfig/iptables file and restart your
service iptables restart

When you issue commands, you need to do first
service iptables save
service iptables restart
0
 

Author Comment

by:AlexPonnath
ID: 38844945
reread my post, i said it does not allow http or https traffic if iptables is running so your comment does not address the issue
0
 
LVL 31

Expert Comment

by:farzanj
ID: 38845034
I reread and it doesn't say it didn't let those protocols pass through.  You said you like to allow them, but  I am encouraged by your clarification though after a week of anticipation.

Regarding the issue, your firewall rules are little out of sequence.  It should be all allows before deny rules.  For STATEs, it should be NEW,ESTABLISHED,RELATED all together.

When you say all protocols from anywhere to anywhere, it should allow it.  My guess is that it is NOT a firewall issue.

I would check the logs for any message when connections get blocked.  To make troubleshooting easy, you should first save your rules as backup, then flush firewall and also stop the service.  If it still doesn't let your traffic flow, you would know it is not a firewall issue.  It could be something else, perhaps TCP wrappers or anything else.

Save rules.

cp /etc/sysconfig/iptables /location/iptables.bak
iptables -F
service iptables stop
0
 

Accepted Solution

by:
AlexPonnath earned 0 total points
ID: 38849828
i solved the issue but again your comment did not help. And if you read correctly, i said vlearly that with iptables disabled it works and with enabled it doesnt. So uit had to do with the rules. No need to further comment here since i solved the issue.
0
 

Author Closing Comment

by:AlexPonnath
ID: 38867432
other person did not provide any relevant information to the issue which helped to resolve the problem.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ACS TACACS server - adding a secondary 2 63
Azure network security group 2 52
RDP Sonicwall 8 67
URL to download Engenius BH-ENS202 firmware update 4 18
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now