• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

Linux Firewall

I added two rules to allow httpd access. I am still not able to see the site from another system. Please let me know whats wrong here.

[root@~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state NEW,ESTABLISHED
0
ittechlab
Asked:
ittechlab
  • 4
  • 2
  • 2
  • +1
4 Solutions
 
edster9999Commented:
Thats not how you do iptables at all.
Drop the two new rules you just put in.  They are not helping - in fact they are blocking things.

You need to read the instructions.  There are thousands of pages already explaining how to build up your rules :
https://www.google.com/search?q=iptables+howto
0
 
edster9999Commented:
...or...
maybe even easier - use something like this :
https://www.google.com/search?q=iptables+generator
0
 
ittechlabLinux SupportAuthor Commented:
I am new to this firewall rules. Please explain whats wrong with my rules and explain in simple terms how do I allow httpd so the users can access the site from my system.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
xtermCommented:
Those rules look fine (although you don't need the outbound one)

Are you sure your webserver is running locally?

netstat -na | grep :80 | grep LISTEN

Should look something like this:

[root@foo xterm]# netstat -na | grep :80
tcp        0      0 :::80                       :::*                        LISTEN

Open in new window


If you're trying to reach the site on https, you will need to open up port 443/tcp as well.
0
 
xtermCommented:
BTW, you can verify 100% if it's a firewall issue by simply turning it off for a minute, and then seeing if you can access the site from a remote host.  If you still cannot, then it's got nothing to do with the firewall:

iptables -F

Remember to turn it back on afterwards.
0
 
xtermCommented:
I'm sorry, I do see an error - it's with the order of your firewall.  You need to reverse these two lines in your INPUT policy:

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Open in new window


The ACCEPT line must appear before the "reject everything" line.
0
 
savoneCommented:
The problem you are having is your http rule is BELOW your reject rule.  Iptables is read in order.  When your traffic gets to your reject ALL rule it is rejected and never read the http rule.

try this, it should work:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

This inserts the rule at the TOP of the chain, instead of -A which appends it to the bottom of the chain like you did.
0
 
ittechlabLinux SupportAuthor Commented:
How do i move this rule? I want to move the swap this rule.


REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
0
 
xtermCommented:
You can do as savone says to temporarily allow it, but it will revert back after you reboot.

If this is a RedHat/CentOS system, then insert the new rule into /etc/sysconfig/iptables _above_ the REJECT line and then do /etc/init.d/iptables restart

If your Linux is something other than that, then let us know which distribution/version you are running.
0
 
savoneCommented:
Going by the output you posted originally these command would fix your issue.

iptables -D INPUT 6
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

If you are using redhat or CentOS issue the following command to save the new rules.

service iptables save
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now