how should set up iptables to accept WWW connection
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
how should set up iptables to accept WWW connection
Iptables prevents Apache from reciving connection from the outside of the server box. I modified the iptables as below but http connection was still blocked by the firewall. I am new to iptables and could not find why the iptables commands I used could not properly change the iptables.
I will appreciate any opinions and suggestions.
Thank you in advance.
----------------------------------------
Below is what I did to set up iptables. I found these commands as a sample in a online tutorial and could not find why the firewall still block httpd packets:
To set up iptables to Allow WWW and SSH access to the firewall I executed the following command (note: I do not use SSH at this point yet):
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
I run the following command to save the changes on the iptables:
do you have restart the service ? The question could be stupid
Does apache or your favorite http server run ?
did you try the command "telnet server_ip 80"
Hi, thank you for your comment. Here are my answers to your questions:
A1: Yes, I restarted the service as
#service iptables stop
#service iptables start
or
#service iptalbes restart
A2:the apache is working properly. It accept connection from inside and outside of the server box if I turn off the firewall.
By the way, I am running apache on Fedora 9.
Yes, I have tired telnet <ip address> 80.
It does not work if the firewall is on.
If you want us to help you see if something is wrong with your iptables configuration you'll need to post the actual configuration, not the script you are using. Please post the output of this command (use code tags):
remember, firewall rules are applied with in order
if you make a prior "DROP" or "REJECT", further rules will not be applied
I did not have attention on the order issue...
I just check how iptables looks like. I copied the content of the iptables and pasted below. Please take a look at it.
I did not have attention but I just noticed that the lines inserted with the iptables commands belong under :OUTPUT ACCEPT directive,and there is no firewall statements under :INPUT ACCEPT directive. Is it correct?
#cat iptables
# Generated by iptables-save v1.4.0 on Thu Aug 28 16:54:45 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5441:1208769]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Aug 28 16:54:45 2008
If you want us to help you see if something is wrong with your iptables configuration you'll need to post the actual configuration, not the script you are using. Please post the output of this command (use code tags):
Code:
iptables -nvL
hi, I just happened to posted the content of the iptables.
Here is another one using the command you suggested:
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
have a look in your administration tools you probably have a firewall administration toolkit, on which you 'll able to set adequate rules.
I greatly think your iptables commands are good but "misplaced" due to rules order.
Yes I did. Actually, it was the first thing I did when I suspected Linux firewall might cause this problem. But, I could not find any GUI tools to set up Linux firewall on the Fedora 9 server which I set up lately.
I searched on the Internet, learned, and looked for security level configuration tool, but I could not find under admin menu. I looked for system-config-securitylevel command tool, but could not find it niehter.
...Oh! I just found Firewall Conifiguration GUI!!!!
Is it the one you were expecting me to find?
I am going to try it and will let you know the result.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
The reason this won't work is because packets sent into the HTTP server are sent to REJECT before they can get sent to ACCEPT.
You would need to flip the order of those last two rules.
And once again, please use code tags when posting output.
Quote:
Originally Posted by samohn
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Thanks, but the idea is to execute the command when the firewall is enabled.
Quote:
Originally Posted by Fantasio
it seems your accept everything as input but you forbid outputs.
the port 80 is the source not the destination ...
iptables -A INPUT -p tcp -i eth0 --sport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --sport 80 -m state --state NEW -j ACCEPT
Unless I'm misunderstanding things, this is the OP's server, not his client.
These rules you've posted make no sense on a server.
Yes I did. Actually, it was the first thing I did when I suspected Linux firewall might cause this problem. But, I could not find any GUI tools to set up Linux firewall on the Fedora 9 server which I set up lately.
I searched on the Internet, learned, and looked for security level configuration tool, but I could not find under admin menu. I looked for system-config-securitylevel command tool, but could not find it niehter.
...Oh! I just found Firewall Conifiguration GUI!!!!
Is it the one you were expecting me to find?
I am going to try it and will let you know the result.
Thank you very much for your help
It solved the problem. Now http packet can go though the firewall.
I am going to learn how to use iptables firewall. If you have any suggestions or opinions please let me know.
The reason this won't work is because packets sent into the HTTP server are sent to REJECT before they can get sent to ACCEPT.
You would need to flip the order of those last two rules.
And once again, please use code tags when posting output.
Thanks, but the idea is to execute the command when the firewall is enabled.
Unless I'm misunderstanding things, this is the OP's server, not his client.
These rules you've posted make no sense on a server.
Thank you very much for your help!
Could you tell me how to modify iptables file. It is said that you should not manually change it because the save process just overwrite what you have changed on iptables. That is make sense. But, if you do not use a GUI tool such as Firewall Configuration which seems to overwrite the iptalbes you manually modified, how you should modify iptables?
I am sorry that I did not know that I should use code tags for posting codes. I will use it although I need to figure out how to do it.
You are right. It is server not client.
I thought they look right,and still can not figure out what is wrong with them...Probably, I am too new to iptables and may be confused...
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
Thank you very much for your help!
Could you tell me how to modify iptables file. It is said that you should not manually change it because the save process just overwrite what you have changed on iptables. That is make sense. But, if you do not use a GUI tool such as Firewall Configuration which seems to overwrite the iptalbes you manually modified, how you should modify iptables?
By using the iptables command to set everything up, and only doing a save when you're happy with how everything is set up. It's common practice to create a script, cuz you can easily make edits to it. So once you've got your script perfected, you execute it, then proceed to save the configuration. You never need to touch the saved configuration file.
Quote:
I am sorry that I did not know that I should use code tags for posting codes. I will use it although I need to figure out how to do it.
You are right. It is server not client.
I thought they look right,and still can not figure out what is wrong with them...Probably, I am too new to iptables and may be confused...
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
Well, you still haven't posted the relevant "iptables -nvL" output, so we have no idea what your current iptables configuration is. If you feel overwhelmed by iptables at this time you have lots of front-ends available to make things easier for you until you get comfortable with iptables.
By using the iptables command to set everything up, and only doing a save when you're happy with how everything is set up. It's common practice to create a script, cuz you can easily make edits to it. So once you've got your script perfected, you execute it, then proceed to save the configuration. You never need to touch the saved configuration file.
Well, you still haven't posted the relevant "iptables -nvL" output, so we have no idea what your current iptables configuration is. If you feel overwhelmed by iptables at this time you have lots of front-ends available to make things easier for you until you get comfortable with iptables.
You suggested to use script. Is that mean you need to set entire iptables to maintain the order of the contents but not a part of it evrytime when you modify iptables? It sounds like I should not run iptable command to set a few changes over an existing iptables.
Actually, I have posted the output of "iptables -nvL"... Let me check.
Here is the output:
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
PS
I think I want to learn iptables firewall so that I can secure the server box. I am building an ecom site on the server and security is very critical issue for me.
If you know any good resources to learn iptables, please let me know.
Besides, if you can suggest any good front end software to manage security setting, please let me know as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.