Solved

Linux Firewall

Posted on 2013-12-10
10
291 Views
Last Modified: 2013-12-15
I added two rules to allow httpd access. I am still not able to see the site from another system. Please let me know whats wrong here.

[root@~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http state NEW,ESTABLISHED
0
Comment
Question by:ittechlab
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 20

Expert Comment

by:edster9999
ID: 39710247
Thats not how you do iptables at all.
Drop the two new rules you just put in.  They are not helping - in fact they are blocking things.

You need to read the instructions.  There are thousands of pages already explaining how to build up your rules :
https://www.google.com/search?q=iptables+howto
0
 
LVL 20

Expert Comment

by:edster9999
ID: 39710251
...or...
maybe even easier - use something like this :
https://www.google.com/search?q=iptables+generator
0
 

Author Comment

by:ittechlab
ID: 39710270
I am new to this firewall rules. Please explain whats wrong with my rules and explain in simple terms how do I allow httpd so the users can access the site from my system.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 19

Assisted Solution

by:xterm
xterm earned 160 total points
ID: 39710321
Those rules look fine (although you don't need the outbound one)

Are you sure your webserver is running locally?

netstat -na | grep :80 | grep LISTEN

Should look something like this:

[root@foo xterm]# netstat -na | grep :80
tcp        0      0 :::80                       :::*                        LISTEN

Open in new window


If you're trying to reach the site on https, you will need to open up port 443/tcp as well.
0
 
LVL 19

Expert Comment

by:xterm
ID: 39710324
BTW, you can verify 100% if it's a firewall issue by simply turning it off for a minute, and then seeing if you can access the site from a remote host.  If you still cannot, then it's got nothing to do with the firewall:

iptables -F

Remember to turn it back on afterwards.
0
 
LVL 19

Assisted Solution

by:xterm
xterm earned 160 total points
ID: 39710326
I'm sorry, I do see an error - it's with the order of your firewall.  You need to reverse these two lines in your INPUT policy:

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED

Open in new window


The ACCEPT line must appear before the "reject everything" line.
0
 
LVL 23

Accepted Solution

by:
savone earned 160 total points
ID: 39710334
The problem you are having is your http rule is BELOW your reject rule.  Iptables is read in order.  When your traffic gets to your reject ALL rule it is rejected and never read the http rule.

try this, it should work:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

This inserts the rule at the TOP of the chain, instead of -A which appends it to the bottom of the chain like you did.
0
 

Author Comment

by:ittechlab
ID: 39710344
How do i move this rule? I want to move the swap this rule.


REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http state NEW,ESTABLISHED
0
 
LVL 19

Expert Comment

by:xterm
ID: 39710360
You can do as savone says to temporarily allow it, but it will revert back after you reboot.

If this is a RedHat/CentOS system, then insert the new rule into /etc/sysconfig/iptables _above_ the REJECT line and then do /etc/init.d/iptables restart

If your Linux is something other than that, then let us know which distribution/version you are running.
0
 
LVL 23

Assisted Solution

by:savone
savone earned 160 total points
ID: 39710420
Going by the output you posted originally these command would fix your issue.

iptables -D INPUT 6
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

If you are using redhat or CentOS issue the following command to save the new rules.

service iptables save
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
expand ext4 on centos 6 5 68
can i read my emails on lamp ftp 4 64
Internal CA server 6 129
ossec: how to extend rules 1002 and 1003 2 37
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question