Bastille-Linux and iptables blocking httpd?

I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.

/sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
/sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
-j LOG --log-prefix "IPTABLES www IN"

So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:

service bastille-firewall stop
service iptables stop

After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:

/sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443
-j REJECT

This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.

Hum, yes that IPTABLES command looks kinda familiar ;)

I did manage to get fwbuilder working (it's a drag cos you've got to install lots of dependancies & development versions)(even after all the dependancies it still took an hour to make on a very old & dusty machine)

I only spent an hour tinkering with it after installing but it does seem to be pretty funky.

FWBuilder can be found here
I'd recommend this as an option for those who are using IPTABLES and want more control over their firewall set-up (it's not for the lighthearted and you really need to have a fairly reasonable understanding of firewalls to set it up)

;)

Good Luck m8,


J.

Quote:

---

Originally posted here by AnthonyGayden
I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.

/sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
/sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
-j LOG --log-prefix "IPTABLES www IN"

---

Okay, you're ACCEPTing all port 80 hits coming in over ppp0 (are you on cable/dsl or dialup?), and logging what looks to be everything in your internal network.
It looks like it's not working because there's no actual reject clause there. Iptables will continue processing after a log statement, so you'll need a line that reads:
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j REJECT

Without seeing your firewall rules themselves, I can't be of much more help. If you could post them or maybe email them to me and I can help you privately (my email address is chsh1ca@yahoo.ca). I'll see what I can do once I have a better feel for your f/w rules.

Quote:

---

So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:

service bastille-firewall stop
service iptables stop

After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:

/sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443 -j REJECT

---

You should have an identical rule for TCP. You need two lines that look like:
/sbin/iptables -A INPUT -p UDP --dport 443 -j REJECT
/sbin/iptables -A INPUT -p TCP --dport 443 -j REJECT

TCP actually initiates the connection, whereas UDP is simply used for data transfer(in some instances).

The -s 0/0 and -d 0/0 are superfluous in this instance, because if you just specify anything coming down the input chain, it doesn't consider the ip address unless you actually specify one.

Quote:

---

This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.

---

Like I said, if you can communicate with me directly, I'll try and get you the answer you need. Without seeing how you've got your rules written, I can't really say what the problem is, I can only guess. Other rules could be conflicting with it.

http is well know to be binding port 80, but what if you just compiled a apache on your own, and the default httpd.conf is directing apache to bind to port 8080? (this is the default directive if you compiled your own apache server). You should check your httpd.conf.

Usually the directive is:

Port 8080

and you should change it to:

Port 80

or you can see the output of the current daemon that allocating certain ports by executing (as root):

#netstat -atp

Hope this is help.

I know that ANthony was seeing a response from his webserver from loopback so thats not going to be the answer for this problem.
Perhaps it's a Bastille oddity.

J.

This is what I did, I flushed all the firewall rules I created and restarted iptables, bastille-firewall, and apache. I then set rules for port 443 to allow access through there and the site seems to work. it is however slow as I only use a 56k modem. http://skriptkittysecurity.cjb.net