Solved

Linux Firewall

Posted on 2013-12-10
10
286 Views
Last Modified: 2013-12-15
I added two rules to allow httpd access. I am still not able to see the site from another system. Please let me know whats wrong here.

[root@~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state NEW,ESTABLISHED
0
Comment
Question by:ittechlab
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 20

Expert Comment

by:edster9999
Comment Utility
Thats not how you do iptables at all.
Drop the two new rules you just put in.  They are not helping - in fact they are blocking things.

You need to read the instructions.  There are thousands of pages already explaining how to build up your rules :
https://www.google.com/search?q=iptables+howto
0
 
LVL 20

Expert Comment

by:edster9999
Comment Utility
...or...
maybe even easier - use something like this :
https://www.google.com/search?q=iptables+generator
0
 

Author Comment

by:ittechlab
Comment Utility
I am new to this firewall rules. Please explain whats wrong with my rules and explain in simple terms how do I allow httpd so the users can access the site from my system.
0
 
LVL 19

Assisted Solution

by:xterm
xterm earned 160 total points
Comment Utility
Those rules look fine (although you don't need the outbound one)

Are you sure your webserver is running locally?

netstat -na | grep :80 | grep LISTEN

Should look something like this:

[root@foo xterm]# netstat -na | grep :80
tcp        0      0 :::80                       :::*                        LISTEN

Open in new window


If you're trying to reach the site on https, you will need to open up port 443/tcp as well.
0
 
LVL 19

Expert Comment

by:xterm
Comment Utility
BTW, you can verify 100% if it's a firewall issue by simply turning it off for a minute, and then seeing if you can access the site from a remote host.  If you still cannot, then it's got nothing to do with the firewall:

iptables -F

Remember to turn it back on afterwards.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 19

Assisted Solution

by:xterm
xterm earned 160 total points
Comment Utility
I'm sorry, I do see an error - it's with the order of your firewall.  You need to reverse these two lines in your INPUT policy:

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Open in new window


The ACCEPT line must appear before the "reject everything" line.
0
 
LVL 23

Accepted Solution

by:
savone earned 160 total points
Comment Utility
The problem you are having is your http rule is BELOW your reject rule.  Iptables is read in order.  When your traffic gets to your reject ALL rule it is rejected and never read the http rule.

try this, it should work:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

This inserts the rule at the TOP of the chain, instead of -A which appends it to the bottom of the chain like you did.
0
 

Author Comment

by:ittechlab
Comment Utility
How do i move this rule? I want to move the swap this rule.


REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
0
 
LVL 19

Expert Comment

by:xterm
Comment Utility
You can do as savone says to temporarily allow it, but it will revert back after you reboot.

If this is a RedHat/CentOS system, then insert the new rule into /etc/sysconfig/iptables _above_ the REJECT line and then do /etc/init.d/iptables restart

If your Linux is something other than that, then let us know which distribution/version you are running.
0
 
LVL 23

Assisted Solution

by:savone
savone earned 160 total points
Comment Utility
Going by the output you posted originally these command would fix your issue.

iptables -D INPUT 6
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

If you are using redhat or CentOS issue the following command to save the new rules.

service iptables save
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now