Results 1 to 6 of 6

Thread: Bastille-Linux and iptables blocking httpd?

  1. #1

    Post Bastille-Linux and iptables blocking httpd?

    I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.

    /sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
    /sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
    -j LOG --log-prefix "IPTABLES www IN"

    So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:

    service bastille-firewall stop
    service iptables stop

    After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:

    /sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443
    -j REJECT

    This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.
    Jealousy consumes the weak.
    http://www.badconnections.net

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    429
    Hum, yes that IPTABLES command looks kinda familiar

    I did manage to get fwbuilder working (it's a drag cos you've got to install lots of dependancies & development versions)(even after all the dependancies it still took an hour to make on a very old & dusty machine)

    I only spent an hour tinkering with it after installing but it does seem to be pretty funky.

    FWBuilder can be found here
    I'd recommend this as an option for those who are using IPTABLES and want more control over their firewall set-up (it's not for the lighthearted and you really need to have a fairly reasonable understanding of firewalls to set it up)



    Good Luck m8,


    J.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: Bastille-Linux and iptables blocking httpd?

    Originally posted here by AnthonyGayden
    I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.

    /sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
    /sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
    -j LOG --log-prefix "IPTABLES www IN"
    Okay, you're ACCEPTing all port 80 hits coming in over ppp0 (are you on cable/dsl or dialup?), and logging what looks to be everything in your internal network.
    It looks like it's not working because there's no actual reject clause there. Iptables will continue processing after a log statement, so you'll need a line that reads:
    /sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j REJECT

    Without seeing your firewall rules themselves, I can't be of much more help. If you could post them or maybe email them to me and I can help you privately (my email address is chsh1ca@yahoo.ca). I'll see what I can do once I have a better feel for your f/w rules.

    So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:

    service bastille-firewall stop
    service iptables stop

    After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:

    /sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443 -j REJECT
    You should have an identical rule for TCP. You need two lines that look like:
    /sbin/iptables -A INPUT -p UDP --dport 443 -j REJECT
    /sbin/iptables -A INPUT -p TCP --dport 443 -j REJECT

    TCP actually initiates the connection, whereas UDP is simply used for data transfer(in some instances).

    The -s 0/0 and -d 0/0 are superfluous in this instance, because if you just specify anything coming down the input chain, it doesn't consider the ip address unless you actually specify one.

    This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.
    Like I said, if you can communicate with me directly, I'll try and get you the answer you need. Without seeing how you've got your rules written, I can't really say what the problem is, I can only guess. Other rules could be conflicting with it.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    Junior Member
    Join Date
    Feb 2002
    Posts
    2

    Question

    http is well know to be binding port 80, but what if you just compiled a apache on your own, and the default httpd.conf is directing apache to bind to port 8080? (this is the default directive if you compiled your own apache server). You should check your httpd.conf.

    Usually the directive is:

    Port 8080

    and you should change it to:

    Port 80

    or you can see the output of the current daemon that allocating certain ports by executing (as root):

    #netstat -atp

    Hope this is help.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    429
    I know that ANthony was seeing a response from his webserver from loopback so thats not going to be the answer for this problem.
    Perhaps it's a Bastille oddity.

    J.
    [glowpurple]manually editing your config files can break them. If this happens, you get to keep both pieces. [/glowpurple]

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    689
    This is what I did, I flushed all the firewall rules I created and restarted iptables, bastille-firewall, and apache. I then set rules for port 443 to allow access through there and the site seems to work. it is however slow as I only use a 56k modem. http://skriptkittysecurity.cjb.net
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •