?
Solved

Linux firewall configuration

Posted on 2013-01-25
5
Medium Priority
?
419 Views
Last Modified: 2013-02-08
I am running into some issues with fedora firewall. I installed httpd and i can access the server just fine if i disable the iptables vi service iptables stop. But thats not the desired action, i would like to have the firwall running and permit http and https traffic as well as ssh2 traffic to pass thru firewall

here is what i currently have

# Generated by iptables-save v1.4.12.2 on Fri Jan 25 19:07:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [79:8916]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jan 25 19:07:36 2013

if i do a "iptables -L" i get the below, i restarted and stoped the service several times with no luck
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
Comment
Question by:AlexPonnath
  • 3
  • 2
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 38820065
So what seems to be the problem?

Let me guess.  Looks like it allows everything.
The reason is
ACCEPT     all  --  anywhere             anywhere

which is the third rule.  It allows everything.

You have to modify /etc/sysconfig/iptables file and restart your
service iptables restart

When you issue commands, you need to do first
service iptables save
service iptables restart
0
 

Author Comment

by:AlexPonnath
ID: 38844945
reread my post, i said it does not allow http or https traffic if iptables is running so your comment does not address the issue
0
 
LVL 31

Expert Comment

by:farzanj
ID: 38845034
I reread and it doesn't say it didn't let those protocols pass through.  You said you like to allow them, but  I am encouraged by your clarification though after a week of anticipation.

Regarding the issue, your firewall rules are little out of sequence.  It should be all allows before deny rules.  For STATEs, it should be NEW,ESTABLISHED,RELATED all together.

When you say all protocols from anywhere to anywhere, it should allow it.  My guess is that it is NOT a firewall issue.

I would check the logs for any message when connections get blocked.  To make troubleshooting easy, you should first save your rules as backup, then flush firewall and also stop the service.  If it still doesn't let your traffic flow, you would know it is not a firewall issue.  It could be something else, perhaps TCP wrappers or anything else.

Save rules.

cp /etc/sysconfig/iptables /location/iptables.bak
iptables -F
service iptables stop
0
 

Accepted Solution

by:
AlexPonnath earned 0 total points
ID: 38849828
i solved the issue but again your comment did not help. And if you read correctly, i said vlearly that with iptables disabled it works and with enabled it doesnt. So uit had to do with the rules. No need to further comment here since i solved the issue.
0
 

Author Closing Comment

by:AlexPonnath
ID: 38867432
other person did not provide any relevant information to the issue which helped to resolve the problem.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question