[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache and iptables



Try to use this:

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -J ACCEPT

I think the problem is you are not telling to iptables how go out.

In spanish: No tienes has especificado que tiene que hacer o por donde
han de ir los paquetes de vuelta.

Regards, 
 Fleky


2005/6/2, Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>:
> On 2005-06-01 JM wrote:
> > This is a configuration that is not working with apache after some
> > upgrades to the system.  If turning off iptables, apache is allowed.The
> > syntax appears OK.  Amule with id also not working.
> > Here is the configuration:
> > ############################################
> > iptables -F
> > iptables -t nat -F
> >
> > iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> > iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
> >
> >
> > #X
> > iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 6000:6005 -j DROP
> > iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 6000:6005 -j DROP
> >
> > #ICMP
> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 8 -j DROP
> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 0 -m limit --limit 1/s -j ACCEPT
> > iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
> 
> Because of the third ICMP rule, the second one is pointless.
> 
> > #lo mio OK
> > iptables -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> You need to allow ESTABLISHED,RELATED traffic in the OUTPUT chain as
> well. That's most likely the source of your problem.
> 
> > #todo desde fuera KO
> > iptables -A INPUT -m state --state NEW,INVALID -j DROP
> >
> > #apache
> > iptables -A INPUT -s 0.0.0.0/0 -p tcp -i eth0 --dport 80 -j ACCEPT
> 
> Is eth0 your "external" interface?
> 
> > #amule
> > iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
> > iptables -A INPUT -p udp --dport 4665 -j ACCEPT
> > iptables -A INPUT -p udp --dport 4672 -j ACCEPT
> >
> > iptables -P INPUT DROP
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> 
> The default policies should be set at the *beginning* of your script
> (before flushing the chains), not at the end.
> 
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
> 
> 
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>



Reply to: