LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-04-2012, 08:55 AM   #1
sabeel_ansari
LQ Newbie
 
Registered: Nov 2000
Location: ottawa, canada
Posts: 18

Rep: Reputation: 0
iptables settings


Hi,
I am setting up a website. Its a standard e-commerce website and want to add some firewall rules to stop any malicious users.

The website needs the following ports open: 22 (ssh), 80 (http) and 443 (https)

Some background: The web side (lets call it 'forms') communicates with a background internal process (called 'Handler') written in Python and communicating using REST API. Handler listens on TCP port 8080.

I had the following rules applied to the firewall.
  • iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • iptables -A INPUT -j DROP

My understanding here was: If communication on 8080 is just internal to the machine, the firewall rules should not matter as they are applied only for external connections. But 'forms' and 'handler' are not able to communicate with each other. If I remove the last rule (drop rule), the communication is fine.

Variation 1: I added the port 8080 to the rules thinking that somehow iptables is applying even to the internal communication.
  • iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
  • iptables -A INPUT -j DROP

Result: Communication is still blocked from 'forms' to 'handler'. If I remove the last rule (drop rule), communication is fine again. So, the drop rule is being applied to it somehow.


Variation 2: I tried the iptables rule with interface specification, but still have the same problem.[*]iptables -A INPUT -i lo -p tcp --dport 8080 -j ACCEPT[*]iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT

Any input would be appreciated. Thanks in advance.

ps: The machine is running CentOS 6
 
Old 10-04-2012, 09:05 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
your iptables rules should be a lot more complex by default than that. You should already have a default ACCEPT on lo at the top of the default ruleset, after the ACCEPTs for established connections. So it looks like you've nuked the sane defaults provided for you,. which would normal be in /etc/sysconfig/iptables
 
Old 10-15-2012, 06:39 PM   #3
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 404

Rep: Reputation: 35
The ordering of your rules is important. You are on the right track to make a special case of the loopback interface. But that rule should come before the rules that apply to the external ethernet interface. So I guess you will need something like this:
Code:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -j DROP
These rules will allow any traffic on the loopback interface to flow unimpeded, and restrict incoming traffic on the eth0 interface to just the ports you have identified. If you find that you need further debugging, you could add this line
Code:
    iptables -I INPUT 5 -j LOG
This will insert a logging rule just before the DROP, and log any packet that has not been previously accepted. (It is probably a bad idea to leave this logging rule installed; it will fill up your /var/log/messages file pretty quickly with reports of bogus packets arriving on eth0.)
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables settings shlomi.s Linux - Security 2 06-17-2010 09:12 AM
iptables: auditing change settings vnick Linux - Security 5 09-20-2009 06:20 AM
D.M.Z. settings using IPTABLES? Rims Linux - Networking 1 03-23-2004 01:35 AM
iptables settings bacon22 Linux - Networking 1 02-05-2004 08:42 AM
iptables settings Punker51 Linux - Software 2 12-01-2003 09:52 PM


All times are GMT -5. The time now is 01:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration