Re: iptables and nmap
Hi Joan,
On Thursday 07 June 2007 14:51:51 Joan Hérisson wrote:
> Hello,
>
> Config:
> - Debian 2.4.18
This is very old. For security and better features, you'd be best to upgrade
to a more recent version of Debian, with a more recent kernel.
> - iptables with many rules
Without understanding those rules, you're unlikely to get it working.
IPTables is pretty simple when you take time to understand it -- it's
literally just a list of tests, and things to do if that test has a positive
result. Well, lists (tables) can have other lists/tables, but that's not
really any more complex.
> Problems:
> - I have installed a tomcat 5.5 server. The server is unreachable
> (connection failed from locahost or another host on my local network).
This suggests that the server isn't yet up and running. Sometimes, installing
things on debian means they will just work. Other times, you have to
configure the thing and enable it. I've never really bothered with tomcat,
but given that it's java-based, and fairly heavyweight, I'd expect you have
to do some configuration before it'll run. Try
reading /usr/share/doc/tomcat*/README.Debian. Also, make sure that the
server is actually running on port 8080, and that it's listening on the
correct IPs/interfaces.
> Tries:
> - I have to open port 8080. I have this rule in /etc/init.d.firewal-
> start :
> "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80
> -j allowed"
Appending rules to "many iptables rules" isn't likely to work, if your rules
end with something that denies all unknown traffic. You really should try to
understand your firewall before adding anything to it. Having said that,
I've been guilty of not taking enough time for things like that, too :)
> "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport
> 8080 -j allowed"
As someone else mentioned, this should probably be -j ACCEPT
> Results:
> - The server is still unreachable.
Are you actually seeing an error that says "unreachable"? That suggests a
routing problem, or a prohibitive firewall rule before the one you added.
> - When I do nmap localhost, I have port 80 open but not 8080.
> - When I comment out the line for port 80 in firewall-start and I
> restart firewall, I do nmap localhost, port 80 is still open.
Your firewall script is broken. Again, as others suggested, I'd say start
from scratch -- either with IPTables (if you have the time to understand it)
or with a simpler/higher-level interface, like firehol, or shorewall.
Remember not to test firewall rules for external interfaces through
localhost -- use, at least, the ip of the interface in question. Ideally,
test from the machine you actually need access to be provided for.
Good luck :)
--
Lee Braiden
http://peacejournals.org
"Those who check rising anger as a charioteer checks a rolling
chariot... those, I call true charioteers. Others only hold the
reins." -- Dhammapada, verse 222
Reply to: