Solved

Linux Firewall

Posted on 2013-12-10
10
287 Views
Last Modified: 2013-12-15
I added two rules to allow httpd access. I am still not able to see the site from another system. Please let me know whats wrong here.

[root@~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state NEW,ESTABLISHED
0
Comment
Question by:ittechlab
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 20

Expert Comment

by:edster9999
ID: 39710247
Thats not how you do iptables at all.
Drop the two new rules you just put in.  They are not helping - in fact they are blocking things.

You need to read the instructions.  There are thousands of pages already explaining how to build up your rules :
https://www.google.com/search?q=iptables+howto
0
 
LVL 20

Expert Comment

by:edster9999
ID: 39710251
...or...
maybe even easier - use something like this :
https://www.google.com/search?q=iptables+generator
0
 

Author Comment

by:ittechlab
ID: 39710270
I am new to this firewall rules. Please explain whats wrong with my rules and explain in simple terms how do I allow httpd so the users can access the site from my system.
0
 
LVL 19

Assisted Solution

by:xterm
xterm earned 160 total points
ID: 39710321
Those rules look fine (although you don't need the outbound one)

Are you sure your webserver is running locally?

netstat -na | grep :80 | grep LISTEN

Should look something like this:

[root@foo xterm]# netstat -na | grep :80
tcp        0      0 :::80                       :::*                        LISTEN

Open in new window


If you're trying to reach the site on https, you will need to open up port 443/tcp as well.
0
 
LVL 19

Expert Comment

by:xterm
ID: 39710324
BTW, you can verify 100% if it's a firewall issue by simply turning it off for a minute, and then seeing if you can access the site from a remote host.  If you still cannot, then it's got nothing to do with the firewall:

iptables -F

Remember to turn it back on afterwards.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 19

Assisted Solution

by:xterm
xterm earned 160 total points
ID: 39710326
I'm sorry, I do see an error - it's with the order of your firewall.  You need to reverse these two lines in your INPUT policy:

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Open in new window


The ACCEPT line must appear before the "reject everything" line.
0
 
LVL 23

Accepted Solution

by:
savone earned 160 total points
ID: 39710334
The problem you are having is your http rule is BELOW your reject rule.  Iptables is read in order.  When your traffic gets to your reject ALL rule it is rejected and never read the http rule.

try this, it should work:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

This inserts the rule at the TOP of the chain, instead of -A which appends it to the bottom of the chain like you did.
0
 

Author Comment

by:ittechlab
ID: 39710344
How do i move this rule? I want to move the swap this rule.


REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
0
 
LVL 19

Expert Comment

by:xterm
ID: 39710360
You can do as savone says to temporarily allow it, but it will revert back after you reboot.

If this is a RedHat/CentOS system, then insert the new rule into /etc/sysconfig/iptables _above_ the REJECT line and then do /etc/init.d/iptables restart

If your Linux is something other than that, then let us know which distribution/version you are running.
0
 
LVL 23

Assisted Solution

by:savone
savone earned 160 total points
ID: 39710420
Going by the output you posted originally these command would fix your issue.

iptables -D INPUT 6
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

If you are using redhat or CentOS issue the following command to save the new rules.

service iptables save
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Fine Tune your automatic Updates for Ubuntu / Debian
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now