Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Linux Firewall

I added two rules to allow httpd access. I am still not able to see the site from another system. Please let me know whats wrong here.

[root@~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state NEW,ESTABLISHED
0
ittechlab
Asked:
ittechlab
  • 4
  • 2
  • 2
  • +1
4 Solutions
 
edster9999Commented:
Thats not how you do iptables at all.
Drop the two new rules you just put in.  They are not helping - in fact they are blocking things.

You need to read the instructions.  There are thousands of pages already explaining how to build up your rules :
https://www.google.com/search?q=iptables+howto
0
 
edster9999Commented:
...or...
maybe even easier - use something like this :
https://www.google.com/search?q=iptables+generator
0
 
ittechlabLinux SupportAuthor Commented:
I am new to this firewall rules. Please explain whats wrong with my rules and explain in simple terms how do I allow httpd so the users can access the site from my system.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
xtermCommented:
Those rules look fine (although you don't need the outbound one)

Are you sure your webserver is running locally?

netstat -na | grep :80 | grep LISTEN

Should look something like this:

[root@foo xterm]# netstat -na | grep :80
tcp        0      0 :::80                       :::*                        LISTEN

Open in new window


If you're trying to reach the site on https, you will need to open up port 443/tcp as well.
0
 
xtermCommented:
BTW, you can verify 100% if it's a firewall issue by simply turning it off for a minute, and then seeing if you can access the site from a remote host.  If you still cannot, then it's got nothing to do with the firewall:

iptables -F

Remember to turn it back on afterwards.
0
 
xtermCommented:
I'm sorry, I do see an error - it's with the order of your firewall.  You need to reverse these two lines in your INPUT policy:

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Open in new window


The ACCEPT line must appear before the "reject everything" line.
0
 
savoneCommented:
The problem you are having is your http rule is BELOW your reject rule.  Iptables is read in order.  When your traffic gets to your reject ALL rule it is rejected and never read the http rule.

try this, it should work:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

This inserts the rule at the TOP of the chain, instead of -A which appends it to the bottom of the chain like you did.
0
 
ittechlabLinux SupportAuthor Commented:
How do i move this rule? I want to move the swap this rule.


REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
0
 
xtermCommented:
You can do as savone says to temporarily allow it, but it will revert back after you reboot.

If this is a RedHat/CentOS system, then insert the new rule into /etc/sysconfig/iptables _above_ the REJECT line and then do /etc/init.d/iptables restart

If your Linux is something other than that, then let us know which distribution/version you are running.
0
 
savoneCommented:
Going by the output you posted originally these command would fix your issue.

iptables -D INPUT 6
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

If you are using redhat or CentOS issue the following command to save the new rules.

service iptables save
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now