[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache and iptables



Hi,

Why not try debugging by adding a log rule between each line to see
which one is dropping the packets? (use a different --log-prefix for
each debug line to differentiate rule numbers)



On Thu, 2005-06-02 at 22:48 -0700, JM wrote:
> I understand what you are saying and it makes sense, however everything is
> the same (the same with the other advices, thanks nonetheless).  It is
> strange because once iptables is not running apache can be accessed from
> the net.  So something is not making iptables do the job right.  These
> rules should do the job...
> 
> 
> > Try to use this:
> >
> > iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -J ACCEPT
> >
> > I think the problem is you are not telling to iptables how go out.
> >
> > In spanish: No tienes has especificado que tiene que hacer o por donde
> > han de ir los paquetes de vuelta.
> >
> > Regards,
> >  Fleky
> >
> >
> > 2005/6/2, Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>:
> >> On 2005-06-01 JM wrote:
> >> > This is a configuration that is not working with apache after some
> >> > upgrades to the system.  If turning off iptables, apache is
> >> allowed.The
> >> > syntax appears OK.  Amule with id also not working.
> >> > Here is the configuration:
> >> > ############################################
> >> > iptables -F
> >> > iptables -t nat -F
> >> >
> >> > iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> >> > iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
> >> >
> >> >
> >> > #X
> >> > iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 6000:6005 -j DROP
> >> > iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 6000:6005 -j DROP
> >> >
> >> > #ICMP
> >> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 8 -j DROP
> >> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 0 -m limit --limit 1/s
> >> -j ACCEPT
> >> > iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
> >>
> >> Because of the third ICMP rule, the second one is pointless.
> >>
> >> > #lo mio OK
> >> > iptables -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j
> >> ACCEPT
> >> > iptables -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j
> >> ACCEPT
> >>
> >> You need to allow ESTABLISHED,RELATED traffic in the OUTPUT chain as
> >> well. That's most likely the source of your problem.
> >>
> >> > #todo desde fuera KO
> >> > iptables -A INPUT -m state --state NEW,INVALID -j DROP
> >> >
> >> > #apache
> >> > iptables -A INPUT -s 0.0.0.0/0 -p tcp -i eth0 --dport 80 -j ACCEPT
> >>
> >> Is eth0 your "external" interface?
> >>
> >> > #amule
> >> > iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
> >> > iptables -A INPUT -p udp --dport 4665 -j ACCEPT
> >> > iptables -A INPUT -p udp --dport 4672 -j ACCEPT
> >> >
> >> > iptables -P INPUT DROP
> >> > iptables -P FORWARD ACCEPT
> >> > iptables -P OUTPUT ACCEPT
> >>
> >> The default policies should be set at the *beginning* of your script
> >> (before flushing the chains), not at the end.
> >>
> >> Regards
> >> Ansgar Wiechers
> >> --
> >> "All vulnerabilities deserve a public fear period prior to patches
> >> becoming available."
> >> --Jason Coombs on Bugtraq
> >>
> >>
> >> --
> >> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> >> with a subject of "unsubscribe". Trouble? Contact
> >> listmaster@lists.debian.org
> >>
> >>
> >
> >
> 
> 
> -- 
> -JM. “Estos días azules y este sol de la infancia “(Antonio Machado-1939)
> 
> 
-- 
============================
Charles Kidson
Systems Administrator
General Pants Group
charlesk@generalpants.com.au
ph 02 9290 0813
fx 02 9299 6485
mb 0428 61 7766
============================
Notice: This email and any attachments are confidential and may contain
copyright material of General Pants Co. Pty Ltd., Jetty Surf Pty Ltd. or
third parties. If you are not the intended recipient of this email you
should not read, print, re-transmit, store or act in reliance on this email
or any attachments, and should destroy all copies of them. General Pants Co.
Pty Ltd. and Jetty Surf Pty Ltd. does not guarantee the integrity of any
emails or any attached files. The views or opinions expressed are the
author's own and may not reflect the views or opinions of General Pants Co.
Pty Ltd. and Jetty Surf Pty Ltd..



Reply to: