Solved

Linux firewall configuration

Posted on 2013-01-25
5
392 Views
Last Modified: 2013-02-08
I am running into some issues with fedora firewall. I installed httpd and i can access the server just fine if i disable the iptables vi service iptables stop. But thats not the desired action, i would like to have the firwall running and permit http and https traffic as well as ssh2 traffic to pass thru firewall

here is what i currently have

# Generated by iptables-save v1.4.12.2 on Fri Jan 25 19:07:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [79:8916]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jan 25 19:07:36 2013

if i do a "iptables -L" i get the below, i restarted and stoped the service several times with no luck
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
Comment
Question by:AlexPonnath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 38820065
So what seems to be the problem?

Let me guess.  Looks like it allows everything.
The reason is
ACCEPT     all  --  anywhere             anywhere

which is the third rule.  It allows everything.

You have to modify /etc/sysconfig/iptables file and restart your
service iptables restart

When you issue commands, you need to do first
service iptables save
service iptables restart
0
 

Author Comment

by:AlexPonnath
ID: 38844945
reread my post, i said it does not allow http or https traffic if iptables is running so your comment does not address the issue
0
 
LVL 31

Expert Comment

by:farzanj
ID: 38845034
I reread and it doesn't say it didn't let those protocols pass through.  You said you like to allow them, but  I am encouraged by your clarification though after a week of anticipation.

Regarding the issue, your firewall rules are little out of sequence.  It should be all allows before deny rules.  For STATEs, it should be NEW,ESTABLISHED,RELATED all together.

When you say all protocols from anywhere to anywhere, it should allow it.  My guess is that it is NOT a firewall issue.

I would check the logs for any message when connections get blocked.  To make troubleshooting easy, you should first save your rules as backup, then flush firewall and also stop the service.  If it still doesn't let your traffic flow, you would know it is not a firewall issue.  It could be something else, perhaps TCP wrappers or anything else.

Save rules.

cp /etc/sysconfig/iptables /location/iptables.bak
iptables -F
service iptables stop
0
 

Accepted Solution

by:
AlexPonnath earned 0 total points
ID: 38849828
i solved the issue but again your comment did not help. And if you read correctly, i said vlearly that with iptables disabled it works and with enabled it doesnt. So uit had to do with the rules. No need to further comment here since i solved the issue.
0
 

Author Closing Comment

by:AlexPonnath
ID: 38867432
other person did not provide any relevant information to the issue which helped to resolve the problem.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMware vCloud Director - Automatic SNAT Creation 2 125
Gmail Account risks 4 107
Trunk and Port Security 4 88
Port to open for RDP connection to VM in DMZ ? 5 69
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question