LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-25-2005, 08:36 AM   #1
doblocruiser
LQ Newbie
 
Registered: Jan 2005
Distribution: Fedora Core 3
Posts: 23

Rep: Reputation: 15
iptables & webserver problem


Hello Everybody,

I'm quite new to linux and i have a small problem.
I'm using Fedora Core3, which is running a webserver and iptables.
When I use the default iptables scripts which comes with de distro there is no problem of connecting to the webserver on the internal network. However, when I make my own script it just refuses to connect to the webserver.

Here is my script
--------------------------------------------------------------------------------------------------
*filter
-F
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
COMMENT
-----------------------------------------------------------------------------------------------------
I thougt the above script was enough to connect to my webserver on the internal network!
webserver & iptables are running on 192.168.1.10
pc which is trying to connect running on 192.168.1.15

I do not now what I'm missing! Help is appreciated.

Best Regards,
doblocruiser
 
Old 01-25-2005, 10:17 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
Quote:
-P OUTPUT DROP
Without any modifying rules, this is killing everything heading out of your box. You might add a rule like this:

iptables -A OUTPUT -p tcp -m state --state ESTABLISHED, RELATED -j ACCEPT
 
Old 01-25-2005, 10:22 AM   #3
doblocruiser
LQ Newbie
 
Registered: Jan 2005
Distribution: Fedora Core 3
Posts: 23

Original Poster
Rep: Reputation: 15
Question

*filter
-F
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

Added the rule, unfortunately no success!


Last edited by doblocruiser; 01-25-2005 at 10:27 AM.
 
Old 01-25-2005, 11:01 AM   #4
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Maybe I misread...
the webserver IS the gateway itself or it's IN the internal network?
 
Old 01-25-2005, 11:21 AM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
Hmm. Maybe you need NEW on the output chain as well:

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Also, are you sure the changes you have entered are taking? Does the output of iptables -L show what you've done?
 
Old 01-25-2005, 11:35 AM   #6
doblocruiser
LQ Newbie
 
Registered: Jan 2005
Distribution: Fedora Core 3
Posts: 23

Original Poster
Rep: Reputation: 15
*filter
-F
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -i eth0 -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED --sport 80 -j ACCEPT
COMMIT


Still no success! Is it possible that FC3 loads something in the background when starting iptables. When I run iptables -L it shown everything correctly.
Here is also the original scripts of FC3 that is working properly. I was also thinking, can SELINUX have something to do with it?

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Best regards,
doblocruiser
 
Old 01-25-2005, 11:43 AM   #7
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Quote:
When I use the default iptables scripts which comes with de distro there is no problem of connecting to the webserver on the internal network
so I ask again... is your webserver the gateway or is the webserver inside a LAN and the script you're trying to make is for a gateway?
 
Old 01-25-2005, 12:34 PM   #8
doblocruiser
LQ Newbie
 
Registered: Jan 2005
Distribution: Fedora Core 3
Posts: 23

Original Poster
Rep: Reputation: 15
script and webserver are running on the same machine. I'm just trying to connect to the web and script server from another machine.

192.168.1.10 - Apache and Iptables tunning
192.168.1.15 - Firefox trying to open website on 192.168.1.10

Is this what you mean?

Best regards,
doblocruiser
 
Old 01-25-2005, 12:57 PM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
OK, I just noticed you're not allowing loopback on your server. While I don't know if that is the problem, not allowing it can cause some strange symptoms. Try adding this to your firewall:

iptables -A INPUT -i lo -j ACCEPT.
 
Old 01-25-2005, 03:24 PM   #10
doblocruiser
LQ Newbie
 
Registered: Jan 2005
Distribution: Fedora Core 3
Posts: 23

Original Poster
Rep: Reputation: 15
Thumbs up

thanks! I'll try this tommorow!
 
Old 01-25-2005, 04:45 PM   #11
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Wait a minute, there's something strange in the stateful statement.
You wrote
Code:
-A INPUT -i eth0 -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 80 -j ACCEPT
BUT, i really have never seen the option -m tcp used nor I've seen it in any iptables guide.
I should suggest you to remove it and see what happens
 
Old 01-28-2005, 09:11 AM   #12
doblocruiser
LQ Newbie
 
Registered: Jan 2005
Distribution: Fedora Core 3
Posts: 23

Original Poster
Rep: Reputation: 15
Thumbs up

I editted my script as suggested.

*filter
-F
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

Infortunately no success. It just fails to connect. Operation Timed out is the message I recieve in the browser on the external machine and the machine where iptables and webserver are running on.

Anyone got another clue?

Best regards,
doblocruiser

Problem Solved:
*filter
-F
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT"
-A OUTPUT -j LOG --log-prefix "OUTPUT"
-A FORWARD -j LOG --log-prefix "FORWARD"
COMMIT


Thanks for the help!

Last edited by doblocruiser; 01-28-2005 at 09:53 AM.
 
Old 01-28-2005, 12:23 PM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
I may be wrong about what I'm going to say, but I don't think so....


To be honest, you don't need any of the --sport rules on your INPUT chain because you don't know in advance what port a request is coming from. I don't think that a browser is necessarily sending requests from ports 80 or 443, but rather it is sending requests to those ports because that is where a server is listening. Similarly, if you don't need to mix allowing specific ports and NEW,ESTABLISHED,RELATED stateful matching. If you use 1 or 2 of the states, then what you have done is fine, but using all three is pretty much the same as ACCEPT. Here is how I would re-write your firewall:

-F
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT"
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -i eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT"
-A FORWARD -j LOG --log-prefix "FORWARD"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES and local Webserver mpgram Linux - Security 4 05-06-2004 12:11 PM
webserver behind a firewall with iptables Raphael_T Linux - Security 17 04-28-2004 03:08 PM
IPtables - cannot access internal webserver tantric Linux - Security 3 03-17-2004 02:20 AM
webserver & client application nakkaya Programming 1 02-20-2004 11:40 AM
Problem with Shorewall Firewall & IPTables Led*Zep Linux - Networking 1 03-15-2003 09:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration