Iptables prevents Apache from reciving connection from the outside of the server box. I modified the iptables as below but http connection was still blocked by the firewall. I am new to iptables and could not find why the iptables commands I used could not properly change the iptables.
I will appreciate any opinions and suggestions.
Thank you in advance.
----------------------------------------
Below is what I did to set up iptables. I found these commands as a sample in a online tutorial and could not find why the firewall still block httpd packets:

To set up iptables to Allow WWW and SSH access to the firewall I executed the following command (note: I do not use SSH at this point yet):
#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------

iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
-m state --state NEW -j ACCEPT

I run the following command to save the changes on the iptables:

#service iptables save

do you have restart the service ? The question could be stupid

Does apache or your favorite http server run ?

did you try the command "telnet server_ip 80"

remember, firewall rules are applied with in order

if you make a prior "DROP" or "REJECT", further rules will not be applied

Hi, thank you for your comment. Here are my answers to your questions:

A1: Yes, I restarted the service as
#service iptables stop
#service iptables start

or

#service iptalbes restart

A2:the apache is working properly. It accept connection from inside and outside of the server box if I turn off the firewall.
By the way, I am running apache on Fedora 9.


Yes, I have tired telnet <ip address> 80.
It does not work if the firewall is on.

If you want us to help you see if something is wrong with your iptables configuration you'll need to post the actual configuration, not the script you are using. Please post the output of this command (use code tags):

I did not have attention on the order issue...
I just check how iptables looks like. I copied the content of the iptables and pasted below. Please take a look at it.

I did not have attention but I just noticed that the lines inserted with the iptables commands belong under :OUTPUT ACCEPT directive,and there is no firewall statements under :INPUT ACCEPT directive. Is it correct?




#cat iptables
# Generated by iptables-save v1.4.0 on Thu Aug 28 16:54:45 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5441:1208769]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Aug 28 16:54:45 2008

have a look in your administration tools you probably have a firewall administration toolkit, on which you 'll able to set adequate rules.

I greatly think your iptables commands are good but "misplaced" due to rules order.

hi, I just happened to posted the content of the iptables.

Here is another one using the command you suggested:

# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

it seems your accept everything as input but you forbid outputs.

the port 80 is the source not the destination ...


iptables -A INPUT -p tcp -i eth0 --sport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --sport 80 -m state --state NEW -j ACCEPT

Yes I did. Actually, it was the first thing I did when I suspected Linux firewall might cause this problem. But, I could not find any GUI tools to set up Linux firewall on the Fedora 9 server which I set up lately.

I searched on the Internet, learned, and looked for security level configuration tool, but I could not find under admin menu. I looked for system-config-securitylevel command tool, but could not find it niehter.

...Oh! I just found Firewall Conifiguration GUI!!!!
Is it the one you were expecting me to find?
I am going to try it and will let you know the result.

Thank you very much for your help

The reason this won't work is because packets sent into the HTTP server are sent to REJECT before they can get sent to ACCEPT.

You would need to flip the order of those last two rules.

And once again, please use code tags when posting output.


Thanks, but the idea is to execute the command when the firewall is enabled.


Unless I'm misunderstanding things, this is the OP's server, not his client.

These rules you've posted make no sense on a server.

It solved the problem. Now http packet can go though the firewall.
I am going to learn how to use iptables firewall. If you have any suggestions or opinions please let me know.

Thank you very much for your help.

Thank you very much for your help!
Could you tell me how to modify iptables file. It is said that you should not manually change it because the save process just overwrite what you have changed on iptables. That is make sense. But, if you do not use a GUI tool such as Firewall Configuration which seems to overwrite the iptalbes you manually modified, how you should modify iptables?

I am sorry that I did not know that I should use code tags for posting codes. I will use it although I need to figure out how to do it.

You are right. It is server not client.
I thought they look right,and still can not figure out what is wrong with them...Probably, I am too new to iptables and may be confused...

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
-m state --state NEW -j ACCEPT

By using the iptables command to set everything up, and only doing a save when you're happy with how everything is set up. It's common practice to create a script, cuz you can easily make edits to it. So once you've got your script perfected, you execute it, then proceed to save the configuration. You never need to touch the saved configuration file.

Well, you still haven't posted the relevant "iptables -nvL" output, so we have no idea what your current iptables configuration is. If you feel overwhelmed by iptables at this time you have lots of front-ends available to make things easier for you until you get comfortable with iptables.

You suggested to use script. Is that mean you need to set entire iptables to maintain the order of the contents but not a part of it evrytime when you modify iptables? It sounds like I should not run iptable command to set a few changes over an existing iptables.

Actually, I have posted the output of "iptables -nvL"... Let me check.

Here is the output:
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

PS

I think I want to learn iptables firewall so that I can secure the server box. I am building an ecom site on the server and security is very critical issue for me.
If you know any good resources to learn iptables, please let me know.

Besides, if you can suggest any good front end software to manage security setting, please let me know as well.

I really appreciate your help.
Thank you,
sam