-   Linux - Networking (
-   -   iptables settings (

sabeel_ansari 10-04-2012 09:55 AM

iptables settings
I am setting up a website. Its a standard e-commerce website and want to add some firewall rules to stop any malicious users.

The website needs the following ports open: 22 (ssh), 80 (http) and 443 (https)

Some background: The web side (lets call it 'forms') communicates with a background internal process (called 'Handler') written in Python and communicating using REST API. Handler listens on TCP port 8080.

I had the following rules applied to the firewall.
  • iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • iptables -A INPUT -j DROP

My understanding here was: If communication on 8080 is just internal to the machine, the firewall rules should not matter as they are applied only for external connections. But 'forms' and 'handler' are not able to communicate with each other. If I remove the last rule (drop rule), the communication is fine.

Variation 1: I added the port 8080 to the rules thinking that somehow iptables is applying even to the internal communication.
  • iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
  • iptables -A INPUT -j DROP

Result: Communication is still blocked from 'forms' to 'handler'. If I remove the last rule (drop rule), communication is fine again. So, the drop rule is being applied to it somehow.

Variation 2: I tried the iptables rule with interface specification, but still have the same problem.[*]iptables -A INPUT -i lo -p tcp --dport 8080 -j ACCEPT[*]iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT

Any input would be appreciated. Thanks in advance.

ps: The machine is running CentOS 6

acid_kewpie 10-04-2012 10:05 AM

your iptables rules should be a lot more complex by default than that. You should already have a default ACCEPT on lo at the top of the default ruleset, after the ACCEPTs for established connections. So it looks like you've nuked the sane defaults provided for you,. which would normal be in /etc/sysconfig/iptables

dkm999 10-15-2012 07:39 PM

The ordering of your rules is important. You are on the right track to make a special case of the loopback interface. But that rule should come before the rules that apply to the external ethernet interface. So I guess you will need something like this:

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -j DROP

These rules will allow any traffic on the loopback interface to flow unimpeded, and restrict incoming traffic on the eth0 interface to just the ports you have identified. If you find that you need further debugging, you could add this line

    iptables -I INPUT 5 -j LOG
This will insert a logging rule just before the DROP, and log any packet that has not been previously accepted. (It is probably a bad idea to leave this logging rule installed; it will fill up your /var/log/messages file pretty quickly with reports of bogus packets arriving on eth0.)

All times are GMT -5. The time now is 01:46 AM.