[SOLVED] iptables: can't access web if i specify port 80

HoratioMx875 · 02-27-2013, 12:00 PM

Hi everyone, a newbie here! I've installed Centos 6.3 on VirtualBox 4.2.6, now I'm trying to set up the packet filter.
I'm stuck at the first hurdle which is http access.

Code:

[root@localhost /]# vi testipt.saved

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# THIS DOESN'T WORK:
# -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
# THIS WORKS:
-A OUTPUT -o eth0 -p tcp -j ACCEPT

#DNS
-A OUTPUT -p udp --dport 53 -j ACCEPT
#INCOMING REPLIES
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMIT

Code:

[root@localhost /]# iptables-restore < testipt.saved

I then tried to access a website in the browser to see whether or not I have internet access.
As you see in the code, by removing "--sport 80" I can get it to work. Why doesn't it work if I use the port number?

Also, when I do iptables-save > testipt.saved, I will notice that the ranges for :INPUT DROP [x:x] and OUTPUT DROP [x:x] change all the time instead of staying at [0:0]. Even when I didn't do anything, but certainly when I did do something (like access a website in the browser).

I'm grateful for any comments. Thanks for reading this post!

grim76 · 02-27-2013, 12:17 PM

I am no iptables expert but I think you are looking to specify the destination port not the source port.

HoratioMx875 · 02-27-2013, 04:38 PM

I tried --dport 80 but it didn't work either. Thanks for the quick reply though!

chrism01 · 02-27-2013, 06:13 PM

Destn port 80 should be right; possibly a different issue is involved.
Can you

Code:

cat /etc/sysconfig/iptables

& post the content.
Can you post the error msgs you get; try eg /var/log/messages

HoratioMx875 · 02-27-2013, 07:03 PM

Chris,

Here's the code you wanted to see. (note that I added a new line to allow DNS through tcp, but it didn't help.)

Code:

[root@localhost /]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Feb 28 01:50:59 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT 
COMMIT
# Completed on Thu Feb 28 01:50:59 2013

As for the error messages. I don't know where to look.
I tried "cat /var/log/messages" but it hasn't updated since the last reboot. So no useful error msgs there.

Not sure if it's important but I noticed that the file "/etc/sysconfig/network-scripts/ifcfg-eth0" is missing. (But ifconfig shows eth0 is working.)

chrism01 · 02-27-2013, 07:07 PM

Try 'service network restart' and see if eth0 goes away. It should be defined in a file in that dir somewhere; maybe mis-named as eth1 ?
Also, you'll have to try getting out to the internet to generate an error msg.
May be try 'ls -lt' after doing a test to see which log file has been updated recently.

HoratioMx875 · 02-28-2013, 12:29 PM

Okay, a lot of confusing stuff is happening. I'm going to try to note this all down in an ordered fashion.

1. I tried 'service network restart'. eth0 still shows up in ifconfig. I don't see eth0 or eth1 anywhere in the directory.

Code:

[root@localhost network-scripts]# ls
ifcfg-lo     ifdown-ippp  ifdown-ppp     ifup          ifup-ippp  ifup-plusb   ifup-sit          net.hotplug
ifdown       ifdown-ipv6  ifdown-routes  ifup-aliases  ifup-ipv6  ifup-post    ifup-tunnel       network-functions
ifdown-bnep  ifdown-isdn  ifdown-sit     ifup-bnep     ifup-isdn  ifup-ppp     ifup-wireless     network-functions-ipv6
ifdown-eth   ifdown-post  ifdown-tunnel  ifup-eth      ifup-plip  ifup-routes  init.ipv6-global

2. I tried 'ls -lt'. only 'cron', ' Xorg.0.log' and 'messages' were recently updated. But for these I saw no correlation with my attempt to access google.com in mozilla.

3. 'messages' however, kept filling up with the following msg, and is repeated several times per minute.

Code:

Feb 28 18:07:01 localhost dhclient[1210]: DHCPREQUEST on eth0 to 192.168.1.1 port 67 (xid=0x7638d090)
Feb 28 18:07:01 localhost dhclient[1210]: send_packet: Operation not permitted

I rebooted and this stopped. (i initially tried service network stop, without success)

4. I tried '-type f -mmin -1' to see if any files changed recently anywhere on the system.
This returned only a large number of files from the "./proc/" directory.

5. The weird part now. I have internet access. I thought it might be due to the reboot. but doing 'cat /etc/sysconfig/iptables' reveals the same config as in my previous post.
(On subsequent checks, the [x:x] values in the first three lines change, as I wondered about in the original post.)

I was sure that it didn't work before.
To make it fail this time around, I can either add "-p tcp" to the INPUT rule, or I can change --dport to --sport.
Do you know why sport wouldn't work? Doesn't setting dport mean I'm configuring for a port on an outside (destination) computer, thus assuming they used port 80?

6. Would it help if I started over? I don't really want to reinstall everything, but if I had to do it, now would be a good time since it's a pretty fresh install.

chrism01 · 02-28-2013, 09:23 PM

If it works, don't break it.

The remote http server listens on port 80 (443 for https).
From your machine as the client, this is the destn port. The src port is the outgoing port on your system, which is usually a random port in the >1023 range.

Some(!) services do connect on the same port at both ends (eg DNS = 53), but generally, this is not the case.

HoratioMx875 · 03-01-2013, 04:35 PM

I guess the problem was the dport, then. I'm going to leave it at that and try to move forwards from here.
Thank you very much for you help Chris, and Grim!