-
March 8th, 2002, 10:22 AM
#1
Member
Bastille-Linux and iptables blocking httpd?
I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.
/sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
/sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
-j LOG --log-prefix "IPTABLES www IN"
So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:
service bastille-firewall stop
service iptables stop
After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:
/sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443
-j REJECT
This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.
-
March 8th, 2002, 10:33 AM
#2
Hum, yes that IPTABLES command looks kinda familiar
I did manage to get fwbuilder working (it's a drag cos you've got to install lots of dependancies & development versions)(even after all the dependancies it still took an hour to make on a very old & dusty machine)
I only spent an hour tinkering with it after installing but it does seem to be pretty funky.
FWBuilder can be found here
I'd recommend this as an option for those who are using IPTABLES and want more control over their firewall set-up (it's not for the lighthearted and you really need to have a fairly reasonable understanding of firewalls to set it up)
Good Luck m8,
J.
-
March 8th, 2002, 02:07 PM
#3
Re: Bastille-Linux and iptables blocking httpd?
Originally posted here by AnthonyGayden
I have run into a problem while configuring my apache webserver on linux.. I can not seem to get my webserver past my firewall. With the help of those on irc.antionline.com, I created these rules for iptables, but they did not work.
/sbin/iptables -A INPUT -p tcp -i ppp0 --dport 80 -j ACCEPT # for www
/sbin/iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 80
-j LOG --log-prefix "IPTABLES www IN"
Okay, you're ACCEPTing all port 80 hits coming in over ppp0 (are you on cable/dsl or dialup?), and logging what looks to be everything in your internal network.
It looks like it's not working because there's no actual reject clause there. Iptables will continue processing after a log statement, so you'll need a line that reads:
/sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j REJECT
Without seeing your firewall rules themselves, I can't be of much more help. If you could post them or maybe email them to me and I can help you privately (my email address is chsh1ca@yahoo.ca). I'll see what I can do once I have a better feel for your f/w rules.
So just curious if my webserver would work at all, I decided to turn off bastille-linux and iptables using:
service bastille-firewall stop
service iptables stop
After this, many of my ports were opened up however port 80 wasnt one of them and remained stealth according to the port scan at grc.com. Not wanting to be vulnerable for too long I turned all of my firewalls back on and scanned again. All of my ports remained stealth except port 443. While trying to protect that port I added a rule to iptables that looks like this:
/sbin/iptables -A INPUT -s 0/0 -d 0/0 -p UDP --dport 443 -j REJECT
You should have an identical rule for TCP. You need two lines that look like:
/sbin/iptables -A INPUT -p UDP --dport 443 -j REJECT
/sbin/iptables -A INPUT -p TCP --dport 443 -j REJECT
TCP actually initiates the connection, whereas UDP is simply used for data transfer(in some instances).
The -s 0/0 and -d 0/0 are superfluous in this instance, because if you just specify anything coming down the input chain, it doesn't consider the ip address unless you actually specify one.
This did not work however. I was able to get the response that this port was closed by turning off apache, but this would be counterproductive. Am I missing something here. Im not embarrassed to be made a fool of as long as I find an answer. What is blocking port 80? Why cant I protect port 443? All help is appreciated.
Like I said, if you can communicate with me directly, I'll try and get you the answer you need. Without seeing how you've got your rules written, I can't really say what the problem is, I can only guess. Other rules could be conflicting with it.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
March 11th, 2002, 10:26 AM
#4
Junior Member
http is well know to be binding port 80, but what if you just compiled a apache on your own, and the default httpd.conf is directing apache to bind to port 8080? (this is the default directive if you compiled your own apache server). You should check your httpd.conf.
Usually the directive is:
Port 8080
and you should change it to:
Port 80
or you can see the output of the current daemon that allocating certain ports by executing (as root):
#netstat -atp
Hope this is help.
-
March 11th, 2002, 12:24 PM
#5
I know that ANthony was seeing a response from his webserver from loopback so thats not going to be the answer for this problem.
Perhaps it's a Bastille oddity.
J.
[glowpurple]manually editing your config files can break them. If this happens, you get to keep both pieces. [/glowpurple]
-
March 16th, 2002, 03:43 AM
#6
This is what I did, I flushed all the firewall rules I created and restarted iptables, bastille-firewall, and apache. I then set rules for port 443 to allow access through there and the site seems to work. it is however slow as I only use a 56k modem. http://skriptkittysecurity.cjb.net
Wine maketh merry: but money answereth all things.
--Ecclesiastes 10:19
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|