Re: Apache and iptables
Try to use this:
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -J ACCEPT
I think the problem is you are not telling to iptables how go out.
In spanish: No tienes has especificado que tiene que hacer o por donde
han de ir los paquetes de vuelta.
Regards,
Fleky
2005/6/2, Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>:
> On 2005-06-01 JM wrote:
> > This is a configuration that is not working with apache after some
> > upgrades to the system. If turning off iptables, apache is allowed.The
> > syntax appears OK. Amule with id also not working.
> > Here is the configuration:
> > ############################################
> > iptables -F
> > iptables -t nat -F
> >
> > iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> > iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
> >
> >
> > #X
> > iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 6000:6005 -j DROP
> > iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 6000:6005 -j DROP
> >
> > #ICMP
> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 8 -j DROP
> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 0 -m limit --limit 1/s -j ACCEPT
> > iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
>
> Because of the third ICMP rule, the second one is pointless.
>
> > #lo mio OK
> > iptables -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> You need to allow ESTABLISHED,RELATED traffic in the OUTPUT chain as
> well. That's most likely the source of your problem.
>
> > #todo desde fuera KO
> > iptables -A INPUT -m state --state NEW,INVALID -j DROP
> >
> > #apache
> > iptables -A INPUT -s 0.0.0.0/0 -p tcp -i eth0 --dport 80 -j ACCEPT
>
> Is eth0 your "external" interface?
>
> > #amule
> > iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
> > iptables -A INPUT -p udp --dport 4665 -j ACCEPT
> > iptables -A INPUT -p udp --dport 4672 -j ACCEPT
> >
> > iptables -P INPUT DROP
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
>
> The default policies should be set at the *beginning* of your script
> (before flushing the chains), not at the end.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: