• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

Linux firewall configuration

I am running into some issues with fedora firewall. I installed httpd and i can access the server just fine if i disable the iptables vi service iptables stop. But thats not the desired action, i would like to have the firwall running and permit http and https traffic as well as ssh2 traffic to pass thru firewall

here is what i currently have

# Generated by iptables-save v1.4.12.2 on Fri Jan 25 19:07:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [79:8916]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jan 25 19:07:36 2013

if i do a "iptables -L" i get the below, i restarted and stoped the service several times with no luck
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
AlexPonnath
Asked:
AlexPonnath
  • 3
  • 2
1 Solution
 
farzanjCommented:
So what seems to be the problem?

Let me guess.  Looks like it allows everything.
The reason is
ACCEPT     all  --  anywhere             anywhere

which is the third rule.  It allows everything.

You have to modify /etc/sysconfig/iptables file and restart your
service iptables restart

When you issue commands, you need to do first
service iptables save
service iptables restart
0
 
AlexPonnathAuthor Commented:
reread my post, i said it does not allow http or https traffic if iptables is running so your comment does not address the issue
0
 
farzanjCommented:
I reread and it doesn't say it didn't let those protocols pass through.  You said you like to allow them, but  I am encouraged by your clarification though after a week of anticipation.

Regarding the issue, your firewall rules are little out of sequence.  It should be all allows before deny rules.  For STATEs, it should be NEW,ESTABLISHED,RELATED all together.

When you say all protocols from anywhere to anywhere, it should allow it.  My guess is that it is NOT a firewall issue.

I would check the logs for any message when connections get blocked.  To make troubleshooting easy, you should first save your rules as backup, then flush firewall and also stop the service.  If it still doesn't let your traffic flow, you would know it is not a firewall issue.  It could be something else, perhaps TCP wrappers or anything else.

Save rules.

cp /etc/sysconfig/iptables /location/iptables.bak
iptables -F
service iptables stop
0
 
AlexPonnathAuthor Commented:
i solved the issue but again your comment did not help. And if you read correctly, i said vlearly that with iptables disabled it works and with enabled it doesnt. So uit had to do with the rules. No need to further comment here since i solved the issue.
0
 
AlexPonnathAuthor Commented:
other person did not provide any relevant information to the issue which helped to resolve the problem.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now