| View previous topic :: View next topic |
| Author |
Message |
Manu-BE
Tux's lil' helper
Joined: 11 Jun 2003
Posts: 75
Location: World, North Emisphere, Europe, Benelux, Belgium, Wallonie, Hainaut, Borinage, Mons [Target Located]
|
 Posted: Mon Oct 13, 2003 3:01 pm Post subject: [Filtering]iptables & apache [Solved] |
 |
|
This is my net config :
| Code: |
INET--------GentooBoxGateway+NAT[iptables+apache+sshd]------------LAN |
This is my iptables config :
| Code: | iptables -F
iptables -t nat -F
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE -s 192.168.0.0/24
#Default policy
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#EO Default Policy
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8322 -j ACCEPT #SSHD
iptables -A INPUT -p icmp -j ACCEPT # Accept pings
iptables -A INPUT -i lo -j ACCEPT # No lo filtering
iptables -A INPUT -j REJECT
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
I can connect from my gentoo box with ssh -p8322 user@dyndns.org , so it's a loop to the same box via dyndns and I can do the same thing from a box connected in the LAN....
but I cannot contact my apache web server from local / LAN / Inet .... Web site found .... and nothing, it works when I /etc/init.d/iptables stop
I know it's an iptables missconfiguration but I don't know where as I learnt iptables syntax this afternoon  , I searched the forum but didn't find anything except forwarding port 80 into the LAN , which is not my case 
And last question : Do you think I'm correctly protected ? I ran a port scanner ( scan.sygate.com ) and everything is "blocked" except port 80 .
TIA
_________________
There are 10 types of people in the world: Those who understand binary, and those who don't...
Linux user #321297.
Last edited by Manu-BE on Mon Oct 13, 2003 9:36 pm; edited 1 time in total |
|
| Back to top |
|
 |
Senso
Apprentice
Joined: 17 Jun 2003
Posts: 250
Location: Montreal, Quebec
|
| Posted: Mon Oct 13, 2003 5:16 pm Post subject: Re: [Filtering]iptables & apache [Not Solved] |
|
|
| Manu-BE wrote: | This is my net config :
| Code: |
#EO Default Policy
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8322 -j ACCEPT #SSHD
iptables -A INPUT -p icmp -j ACCEPT # Accept pings
iptables -A INPUT -i lo -j ACCEPT # No lo filtering
iptables -A INPUT -j REJECT
|
|
I can't test right now what I'm saying but I think the problem is:
| Code: | | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
I would change
| Code: | | iptables -A INPUT -p tcp --dport 80 -j ACCEPT |
to
| Code: | | iptables -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
You're able to connect via SSH so I don't know if it's the problem but maybe it's because you're not accepting NEW connection to port 80.
Else, try logging everything dropped, at the end:
| Code: |
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT |
And also check you apache access_log file. |
|
| Back to top |
|
|
Manu-BE
Tux's lil' helper
Joined: 11 Jun 2003
Posts: 75
Location: World, North Emisphere, Europe, Benelux, Belgium, Wallonie, Hainaut, Borinage, Mons [Target Located]
|
| Posted: Mon Oct 13, 2003 9:39 pm Post subject: |
|
|
Thanks a lot it did the trick !
But can someone tell me why I need to
| Code: | | iptables -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
for HTTP
and | Code: | | iptables -A INPUT -p tcp --dport 8322 -j ACCEPT |
for ssh ?
Is it because HTTP < 1024 and my sshd is > 1024 ?
_________________
There are 10 types of people in the world: Those who understand binary, and those who don't...
Linux user #321297. |
|
| Back to top |
|
|
Senso
Apprentice
Joined: 17 Jun 2003
Posts: 250
Location: Montreal, Quebec
|
| Posted: Tue Oct 14, 2003 2:45 am Post subject: |
|
|
| Manu-BE wrote: |
Thanks a lot it did the trick !
But can someone tell me why I need to
| Code: | | iptables -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
for HTTP
and | Code: | | iptables -A INPUT -p tcp --dport 8322 -j ACCEPT |
for ssh ?
Is it because HTTP < 1024 and my sshd is > 1024 ? |
Aha! I didn't think about it but It's probably the reason why. I know ports > 1024 don't need root or anything special but maybe it's a per-product feature. It's possible that sshd doesn't need the official TCP three-ways handshake, I don't know.
The iptables man page states that "(...)NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions(...)". |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
