Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-04-2012, 09:55 AM   #1
LQ Newbie
Registered: Nov 2000
Location: ottawa, canada
Posts: 18

Rep: Reputation: 0
iptables settings

I am setting up a website. Its a standard e-commerce website and want to add some firewall rules to stop any malicious users.

The website needs the following ports open: 22 (ssh), 80 (http) and 443 (https)

Some background: The web side (lets call it 'forms') communicates with a background internal process (called 'Handler') written in Python and communicating using REST API. Handler listens on TCP port 8080.

I had the following rules applied to the firewall.
  • iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • iptables -A INPUT -j DROP

My understanding here was: If communication on 8080 is just internal to the machine, the firewall rules should not matter as they are applied only for external connections. But 'forms' and 'handler' are not able to communicate with each other. If I remove the last rule (drop rule), the communication is fine.

Variation 1: I added the port 8080 to the rules thinking that somehow iptables is applying even to the internal communication.
  • iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
  • iptables -A INPUT -j DROP

Result: Communication is still blocked from 'forms' to 'handler'. If I remove the last rule (drop rule), communication is fine again. So, the drop rule is being applied to it somehow.

Variation 2: I tried the iptables rule with interface specification, but still have the same problem.[*]iptables -A INPUT -i lo -p tcp --dport 8080 -j ACCEPT[*]iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT

Any input would be appreciated. Thanks in advance.

ps: The machine is running CentOS 6
Old 10-04-2012, 10:05 AM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971
your iptables rules should be a lot more complex by default than that. You should already have a default ACCEPT on lo at the top of the default ruleset, after the ACCEPTs for established connections. So it looks like you've nuked the sane defaults provided for you,. which would normal be in /etc/sysconfig/iptables
Old 10-15-2012, 07:39 PM   #3
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
The ordering of your rules is important. You are on the right track to make a special case of the loopback interface. But that rule should come before the rules that apply to the external ethernet interface. So I guess you will need something like this:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -j DROP
These rules will allow any traffic on the loopback interface to flow unimpeded, and restrict incoming traffic on the eth0 interface to just the ports you have identified. If you find that you need further debugging, you could add this line
    iptables -I INPUT 5 -j LOG
This will insert a logging rule just before the DROP, and log any packet that has not been previously accepted. (It is probably a bad idea to leave this logging rule installed; it will fill up your /var/log/messages file pretty quickly with reports of bogus packets arriving on eth0.)



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables settings shlomi.s Linux - Security 2 06-17-2010 10:12 AM
iptables: auditing change settings vnick Linux - Security 5 09-20-2009 07:20 AM
D.M.Z. settings using IPTABLES? Rims Linux - Networking 1 03-23-2004 02:35 AM
iptables settings bacon22 Linux - Networking 1 02-05-2004 09:42 AM
iptables settings Punker51 Linux - Software 2 12-01-2003 10:52 PM

All times are GMT -5. The time now is 03:08 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration