LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-01-2017, 05:18 AM   #1
Samsolo
LQ Newbie
 
Registered: Mar 2017
Posts: 1

Rep: Reputation: Disabled
Iptables question


Hi all, just wondering if someone could be so kind as to give me some advice on my iptables.

I have a debian 8 bps running apache2. I am getting forbidden messages when attempting to go to my website.

I was wondering if someone could check these iptables for me? I am also running a minecraft server on the vps, access to the server and access via browser to the control panel work fine.

[Spoiler]
# Generated by iptables-save v1.4.21 on Tue Feb 28 12:49:44 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [195:20556]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
COMMIT
# Completed on Tue Feb 28 12:49:44 2017
[/spoiler]

Many thanks,
Sam.
 
Old 03-01-2017, 06:18 AM   #2
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Forbidden suggests apache itself is refusing to serve the file and nothing to do with the firewall. I'd check that apache has permissions to read the file and that there aren't any deny/accept directives that maybe interferring
 
Old 03-02-2017, 04:27 AM   #3
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,058

Rep: Reputation: 78
I agree with r3sistance. It seems an explicit error given by apache itself. If apache was able to give that error, then it means you've already reached it. In another train of thoughts, if you're using https, then you'll also need to give access to port 443, following the example of the rule that grants ftp access (ctstate NEW, etc.)

Do you actually need any policies in the FORWARD chain? If this doesn't act as a router/vpn server or whatever, then I'd set the forward policy to DROP.

What is the exact error message that you receive?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPTables Question monkinsane Linux - Newbie 4 11-05-2013 03:54 AM
iptables question sang_froid Linux - Security 3 10-06-2009 03:49 PM
iptables question vijeesh Linux - Newbie 2 08-06-2006 04:20 AM
iptables question Ipolit Slackware 2 06-01-2005 04:27 PM
IPtables question caps_phisto Linux - Security 3 12-26-2004 05:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration