iptables settings
Hi,
I am setting up a website. Its a standard e-commerce website and want to add some firewall rules to stop any malicious users. The website needs the following ports open: 22 (ssh), 80 (http) and 443 (https) Some background: The web side (lets call it 'forms') communicates with a background internal process (called 'Handler') written in Python and communicating using REST API. Handler listens on TCP port 8080. I had the following rules applied to the firewall.
My understanding here was: If communication on 8080 is just internal to the machine, the firewall rules should not matter as they are applied only for external connections. But 'forms' and 'handler' are not able to communicate with each other. If I remove the last rule (drop rule), the communication is fine. Variation 1: I added the port 8080 to the rules thinking that somehow iptables is applying even to the internal communication.
Result: Communication is still blocked from 'forms' to 'handler'. If I remove the last rule (drop rule), communication is fine again. So, the drop rule is being applied to it somehow. Variation 2: I tried the iptables rule with interface specification, but still have the same problem.[*]iptables -A INPUT -i lo -p tcp --dport 8080 -j ACCEPT[*]iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT Any input would be appreciated. Thanks in advance. ps: The machine is running CentOS 6 |
your iptables rules should be a lot more complex by default than that. You should already have a default ACCEPT on lo at the top of the default ruleset, after the ACCEPTs for established connections. So it looks like you've nuked the sane defaults provided for you,. which would normal be in /etc/sysconfig/iptables
|
The ordering of your rules is important. You are on the right track to make a special case of the loopback interface. But that rule should come before the rules that apply to the external ethernet interface. So I guess you will need something like this:
Code:
iptables -A INPUT -i lo -j ACCEPT Code:
iptables -I INPUT 5 -j LOG |
All times are GMT -5. The time now is 03:58 PM. |