[SOLVED] iptables, http port not opening

fakie_flip · 01-25-2012, 11:11 PM

I have a server, no physical access. I have to be very careful with iptables because I could end up locking myself out of it. So ssh was the only thing open, and I think still is. I tried to open port 80 for httpd, but it's still not accessible. I am not understanding iptables all that well. I could use some help please. I attempted to open it with the following command.

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

And that resulted in:

Code:

[bullshark@chrisbox]~❯ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[bullshark@chrisbox]~❯

Could somebody please help me understand why this it is not working and what I need to do to make it work? Thanks.

fukawi1 · 01-25-2012, 11:23 PM

Iptables compares a packet to the list of rules rules sequentially. Starting at the first rule, and working its way to the bottom, until it finds a rule that applies to that packet.
Since you have a default policy of accept, and are using a catch all rule to reject anything that doesn't match a previous rule, your port 80 accept rule, is AFTER the catch all rule.

Quote:

Code:

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

Personally, i use a script to generate my iptables rules, i edit the script, and run it, the save the itpables rules to the file loaded by the init script, so they are persistent across reboots. So whenever I add a new rule, I make sure I add above the "catch all".

In your current example, you would need to

Code:

iptables -D INPUT 6

Which will remove the current http accept rule. And then instead of using -A, use -I [rule number] to insert the rule above the catch all.

Code:

iptables -I 5 -p tcp --dport 80 -j ACCEPT

Which will insert the rule into the 5th position, moving anything after it down 1 step.
Alternatively, if you don't specify a number, the rule will be inserted in the first position.

fakie_flip · 01-26-2012, 05:02 PM

Thank you for the info, but I'm getting an error with that command. I don't mean to confuse anybody. The '_' is just an alias for sudo.

Code:

chrisbox :: ~ » _ iptables -D INPUT 6
[sudo] password for bullshark:
chrisbox :: ~ » _ iptables -I 5 -p tcp --dport 80 -j ACCEPT         
iptables: No chain/target/match by that name.
chrisbox :: ~ 1 » _ iptables -A INPUT -I 5 -p tcp --dport 80 -j ACCEPT
iptables v1.4.7: Cannot use -I with -A

Try `iptables -h' or 'iptables --help' for more information.
chrisbox :: ~ 2 » _ iptables -L                                       
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
chrisbox :: ~ »

fakie_flip · 01-26-2012, 10:21 PM

I ended up solving it by editting /etc/sysconfig/iptables and issuing an
iptables-restore < /etc/sysconfig/iptables

fukawi1 · 01-27-2012, 12:33 AM

Sorry, that was my fault, i should have been more clear, you need to specify the chain.

Code:

iptables -D FORWARD 6

Same goes for -I.

To clarify..

Code:

iptables -A INPUT etc

Will append the rule to the end of the INPUT chain.

Code:

iptables -I INPUT 6

Will insert the rule into the 6th position of the INPUT chain.