| View previous topic :: View next topic |
| Author |
Message |
marcion
Apprentice
Joined: 14 Mar 2005
Posts: 158
Location: England
|
 Posted: Mon Dec 12, 2005 12:06 am Post subject: [solved] How can I open port 80? Newbie Iptables problem... |
 |
|
I have a little network:
A. Server/Router with Hardened Gentoo (Selinux etc) no X server, on 24/7
B. Desktop, (turned off when not in use)
-A has cable modem plugged in, this gives internet access to B - this bit works fine.
-I have installed Apache on A, and need to open port 80 which is being blocked by IPtables (when I stop IPtables, the website works).
IP tables on router was setup according to:
http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap5_sect3
I have been googling for two hours for a rule to cut and paste but they all didn't work (perhaps because I am not synthesizing the examples enough with the above router guide). What is the command I need to allow people outside to access Apache?
Last edited by marcion on Mon Dec 12, 2005 1:46 pm; edited 1 time in total |
|
| Back to top |
|
 |
aaronamd
n00b
Joined: 13 Oct 2005
Posts: 59
|
| Posted: Mon Dec 12, 2005 12:23 am Post subject: |
|
|
iptables -A INPUT -p TCP --dport 80 -i [interface] -j ACCEPT
put the external interface ( the one that is connected to the net) where the word interface is, and remove the brackets around it and you should be set to serve! 
and don't forget to save the table state so it'll come back up when you reboot
to do that do:
/etc/init.d/iptables save
good luck
_________________
http://zigtech.net/forum |
|
| Back to top |
|
|
marcion
Apprentice
Joined: 14 Mar 2005
Posts: 158
Location: England
|
| Posted: Mon Dec 12, 2005 6:33 am Post subject: |
|
|
| aaronamd wrote: | | iptables -A INPUT -p TCP --dport 80 -i [interface] -j ACCEPT |
Does not seem to work  - is this conflicting with one of the other IPtables rules?
| Quote: |
First we flush our current rules
# iptables -F
# iptables -t nat -F
Setup default policies to handle unmatched traffic
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD DROP
Copy and paste these examples ...
# export LAN=eth1
# export WAN=eth0
Then we lock our services so they only work from the LAN
# iptables -I INPUT 1 -i ${LAN} -j ACCEPT
# iptables -I INPUT 1 -i lo -j ACCEPT
# iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
# iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
(Optional) Allow access to our ssh server from the WAN
# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
Finally we add the rules for NAT
# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
Tell the kernel that ip forwarding is OK
# echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
This is so when we boot we don't have to run the rules by hand
# /etc/init.d/iptables save
# rc-update add iptables default
# nano /etc/sysctl.conf
Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
|
|
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Mon Dec 12, 2005 10:24 am Post subject: |
|
|
Your port 80 rule must appear before:
| Code: | # iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP |
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
marcion
Apprentice
Joined: 14 Mar 2005
Posts: 158
Location: England
|
| Posted: Mon Dec 12, 2005 1:46 pm Post subject: |
|
|
| Thanks everyone - it works now ! |
|
| Back to top |
|
|
|
Networking & Security
