ittechlab
asked on
iptables - FW issue - website not working
unable to access web site. port 80 still blocked
[root@logserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@logserver log]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASKER
sorry my bad
i had to flush. but this is what i get after reboot
[root@logserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
i had to flush. but this is what i get after reboot
[root@logserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Hi,
To allow incoming connection towards your host make sure you're not behind nat if you do then you will need to open that rule in your firewall.
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
OR
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Then do this service iptables save
Also, I recommend to you to look into UFW is better than IP tables, I mean is the same iptables but more simplified.
To allow incoming connection towards your host make sure you're not behind nat if you do then you will need to open that rule in your firewall.
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
OR
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Then do this service iptables save
Also, I recommend to you to look into UFW is better than IP tables, I mean is the same iptables but more simplified.
One Question:
is the webserver running on the SAME system as the iptables firewall
or on another system behind this iptables firewall....
If on the SAME system the INPUT rules are required.
if on a different the rules need to be put into the FORWARD table.
It may be helpful to add rules that log just before the rejects to rules you reject, then you also have info about the rejection incl time stamp in your logfiles.
(and you can tell if it concerned INPUT or FORWARD records.
wrt. IMHO UFW simplifies management, for me to the point of being unusable as it assumes a fairly simple firewall model. Part of the rules i use cannot be implemented using UFW or need awkward workarounds... Also UFW requires systemd to actually be useful. Most of my systems don't run that.
Hemil is right about setup statefull inspection.
is the webserver running on the SAME system as the iptables firewall
or on another system behind this iptables firewall....
If on the SAME system the INPUT rules are required.
if on a different the rules need to be put into the FORWARD table.
It may be helpful to add rules that log just before the rejects to rules you reject, then you also have info about the rejection incl time stamp in your logfiles.
(and you can tell if it concerned INPUT or FORWARD records.
wrt. IMHO UFW simplifies management, for me to the point of being unusable as it assumes a fairly simple firewall model. Part of the rules i use cannot be implemented using UFW or need awkward workarounds... Also UFW requires systemd to actually be useful. Most of my systems don't run that.
Hemil is right about setup statefull inspection.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Open in new window
Should allow all connections.
Provide your actual IP for scanning.
Also provide the output of running this on your machine...
Open in new window