LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-07-2009, 02:35 PM   #1
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Rep: Reputation: 15
iptables open http 80


hello,

I have a iptables issue. I use Fedora and recently I've setup httpd. Now I need to open port 80. I've used iptables before and had no problems but now I'm stuck. I have a set of rules saved in /etc/sysconfig/iptables and I trie to edit this file to open port 80. First I gave "iptables -I INPUT -p tcp --dport 80 -j ACCEPT port 80" command but port 80 is still closed. The httpd service is running. I've checked with nmap, netstat and telnet (from another machine) I tried to edit iptables file but I don't really know where to add this: "-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT". First I have *nat then *mangle and finally *filter. I've added to * filter, saved the file and restarted iptables but still no open 80 port.

Please give me some advices.


Thanks!
 
Old 09-07-2009, 02:39 PM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,528

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Try
Code:
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
 
Old 09-07-2009, 02:48 PM   #3
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,274

Rep: Reputation: 148Reputation: 148
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

this is my one, check it how is suitable for you
 
Old 09-07-2009, 05:27 PM   #4
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
I'd suggest it's RH-Firewall-1-INPUT you want to use but to make sure run the following command and copy and paste the output (preferably in code tagss.

iptables -nvL

This will show your currently running rules in iptables.
 
Old 09-07-2009, 06:54 PM   #5
29t88
Member
 
Registered: Jan 2009
Distribution: CentOS 5.3
Posts: 62

Rep: Reputation: 17
It could be RH Firewall> Or If Hes Behind A Router Maybe Try Forwarding The Port?
 
Old 09-07-2009, 07:37 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,357

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
As kirukan, then

service iptables restart

technically it's not really a service, but that cmd will cause the kernel to reload the iptables rules from the file.
 
Old 09-07-2009, 07:41 PM   #7
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
Actually I would like to add their is a facility in RHEL called setup, I suspect this might also be in fedora, this can be used for some configuration work and has the ability to reconfigure some basic settings of iptables, including being able to open the httpd port, port 80. To run this in RHEL or CentOS you just type setup with nothing after it into a terminal and hit enter.

Last edited by r3sistance; 09-07-2009 at 07:42 PM.
 
Old 09-07-2009, 09:32 PM   #8
mr_grumpy
LQ Newbie
 
Registered: Aug 2009
Location: Australia
Distribution: F12, RHEL 5.5
Posts: 6

Rep: Reputation: 2
You could do this from a GUI

System -> Administration -> Firewall

Click the box WWW(HTTP) 80/tcp
Click the green arrow "Apply"

Note: you can also run this gui from command line with:

Code:
# system-config-firewall
 
Old 09-08-2009, 04:15 AM   #9
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Original Poster
Rep: Reputation: 15
I have a set of rules saved in /etc/sysconfig/iptables that I realy need. If I use system-config-firewall it removes my rules from that file. I've tried that and I've managed to open port 80 but I had to restore old file-rules.

My iptables rules looks like this:

*nat
:OUTPUT ACCEPT [275:22783]
:POSTROUTING ACCEPT [2071:744765]
:PREROUTING ACCEPT [14016:2923191]
-A POSTROUTING -s 192.168.7.0/255.255.255.0 -o eth0 -j SNAT --to-source 81.196.50.75
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [44396:17365638]
:PREROUTING ACCEPT [35693:14168823]
-A INPUT -s 192.168.7.4 -j ACCEPT
-A INPUT -s xx.xx.xx.xx -j ACCEPT
-A INPUT -s 8x.41.230.xxx -j ACCEPT
-A INPUT -s 8x.77.2x.xxx -j ACCEPT
-A INPUT -s 8x.xxx.xx.81 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 64000 -j DROP
-A INPUT -p udp -m udp --dport 64000 -j DROP
-A INPUT -p tcp -m tcp --sport 8060 -j DROP
-A INPUT -p udp -m udp --sport 8060 -j DROP
-A INPUT -p udp -m udp --sport 8000 -j DROP
-A INPUT -p tcp -m tcp --sport 8010 -j DROP
-A INPUT -p udp -m udp --sport 8010 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p udp -m udp --dport 22 -j DROP
##################################################
-A INPUT -i eth1 -m mac --mac-source 00:0E:2E:BE:99:43 -j ACCEPT
#PC1
-A INPUT -i eth1 -m mac --mac-source 00:11:252:9C:14 -j ACCEPT
#PC2
-A INPUT -i eth1 -m mac --mac-source 00:1F:29:8E:0E:2A -j ACCEPT
.
.
.
.
.
.
#hostx
-A INPUT -i eth1 -m mac --mac-source 00:1B:2A:11:10:A7 -j ACCEPT
###############################
-A INPUT -i eth1 -j DROP
########################################################
-A PREROUTING -p tcp -m tcp --dport 2745 -j DROP
-A PREROUTING -p tcp -m tcp --dport 64000 -j DROP
-A PREROUTING -s 63.250.215.226 -j DROP
-A PREROUTING -s 63.250.215.208 -j DROP
-A PREROUTING -d 192.168.0.0/255.255.0.0 -i eth1 -j ACCEPT
#########################################################
-A PREROUTING -i eth1 -m mac --mac-source 00:0E:2E:BE:99:43 -j ACCEPT
# PC1
-A PREROUTING -i eth1 -m mac --mac-source 00:11:252:9C:14 -j ACCEPT
#PC2
-A PREROUTING -i eth1 -m mac --mac-source 00:1F:29:8E:0E:2A -j ACCEPT
.
.
.
.
.
.
#hostx
-A PREROUTING -i eth1 -m mac --mac-source 00:1B:2A:11:10:A7 -j ACCEPT

#####################################################
-A PREROUTING -i eth1 -j DROP
-A PREROUTING -d 224.0.0.0/255.0.0.0 -j DROP
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
 
Old 09-08-2009, 06:37 PM   #10
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
Hi,

It looks like you are routing traffic from port 80 to 8080, neither are open as far as the rules you have shown for your iptables ruleset.
 
Old 09-09-2009, 01:49 AM   #11
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Original Poster
Rep: Reputation: 15
So how do I open port 80 ?
 
Old 09-09-2009, 05:06 AM   #12
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
First thing is you will likely have to drop the following rule

-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

After this I would say the following should do the trick

iptables -I INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Once your happy with the result you should probably do

service iptables save

what will save this to the default configuration, however it doesn't allows work and alternative methods might need to be used to save the configuration. This is all guess work however by what you are showing, the output of "iptables -nvL" is more meaningful then what you have shown since it will actually show your actual working rulesets for iptables with all chains shown and all that stuff.
 
Old 09-09-2009, 07:47 PM   #13
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,357

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
I'd reverse the order of those 2 rules for efficiency. Most incoming cxns will be for already known (--state RELATED,ESTABLISHED) cxns.
 
Old 09-10-2009, 04:28 PM   #14
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Original Poster
Rep: Reputation: 15
hi guys

I took yours advices and modified iptables. I've added the 2 rules and remove the redirect rule from port 80 to 8080 (in PREROUTING). I've saved iptables and restarted but port 80 is still closed. I've checked with nmap and telnet, locally and from outside. The thing is that I need the redirect rule from port 80 to port 8080 because I use a proxy for my lan. I don't know what to do next. I'm thinking in rebuilding iptables but i must import all my rules from old iptables and is lot of hard work.

Thanks anyway.
 
Old 09-10-2009, 04:31 PM   #15
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Original Poster
Rep: Reputation: 15
here's iptables -nvL


Chain INPUT (policy ACCEPT 2 packets, 458 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
496 74830 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 320 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
71 11222 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 82.77.20.205 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy ACCEPT 455 packets, 24854 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 552 packets, 58065 bytes)
pkts bytes target prot opt in out source destination
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables doesn't forward http request and12345 Linux - Networking 8 03-22-2009 08:18 PM
iptables, no access through http Israfel2000 Linux - Security 5 10-14-2005 06:01 PM
iptables - http port forwarding kevsco77 Linux - Newbie 2 01-23-2005 11:34 PM
iptables and http alaios Linux - Security 5 06-09-2004 02:31 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM


All times are GMT -5. The time now is 01:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration