Bastille-Linux and iptables blocking httpd?
I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.
/sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
/sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
-j LOG --log-prefix "IPTABLES www IN"
So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:
service bastille-firewall stop
service iptables stop
After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:
/sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443
-j REJECT
This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.
Re: Bastille-Linux and iptables blocking httpd?
Quote:
Originally posted here by AnthonyGayden
I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.
/sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
/sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
-j LOG --log-prefix "IPTABLES www IN"
Okay, you're ACCEPTing all port 80 hits coming in over ppp0 (are you on cable/dsl or dialup?), and logging what looks to be everything in your internal network.
It looks like it's not working because there's no actual reject clause there. Iptables will continue processing after a log statement, so you'll need a line that reads:
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j REJECT
Without seeing your firewall rules themselves, I can't be of much more help. If you could post them or maybe email them to me and I can help you privately (my email address is chsh1ca@yahoo.ca). I'll see what I can do once I have a better feel for your f/w rules.
Quote:
So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:
service bastille-firewall stop
service iptables stop
After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:
/sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443 -j REJECT
You should have an identical rule for TCP. You need two lines that look like:
/sbin/iptables -A INPUT -p UDP --dport 443 -j REJECT
/sbin/iptables -A INPUT -p TCP --dport 443 -j REJECT
TCP actually initiates the connection, whereas UDP is simply used for data transfer(in some instances).
The -s 0/0 and -d 0/0 are superfluous in this instance, because if you just specify anything coming down the input chain, it doesn't consider the ip address unless you actually specify one.
Quote:
This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.
Like I said, if you can communicate with me directly, I'll try and get you the answer you need. Without seeing how you've got your rules written, I can't really say what the problem is, I can only guess. Other rules could be conflicting with it.