Re: Apache and iptables
On 2005-06-01 JM wrote:
> This is a configuration that is not working with apache after some
> upgrades to the system. If turning off iptables, apache is allowed.The
> syntax appears OK. Amule with id also not working.
> Here is the configuration:
> ############################################
> iptables -F
> iptables -t nat -F
>
> iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
>
>
> #X
> iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 6000:6005 -j DROP
> iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 6000:6005 -j DROP
>
> #ICMP
> iptables -A INPUT -i eth0 -p ICMP --icmp-type 8 -j DROP
> iptables -A INPUT -i eth0 -p ICMP --icmp-type 0 -m limit --limit 1/s -j ACCEPT
> iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
Because of the third ICMP rule, the second one is pointless.
> #lo mio OK
> iptables -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
You need to allow ESTABLISHED,RELATED traffic in the OUTPUT chain as
well. That's most likely the source of your problem.
> #todo desde fuera KO
> iptables -A INPUT -m state --state NEW,INVALID -j DROP
>
> #apache
> iptables -A INPUT -s 0.0.0.0/0 -p tcp -i eth0 --dport 80 -j ACCEPT
Is eth0 your "external" interface?
> #amule
> iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
> iptables -A INPUT -p udp --dport 4665 -j ACCEPT
> iptables -A INPUT -p udp --dport 4672 -j ACCEPT
>
> iptables -P INPUT DROP
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
The default policies should be set at the *beginning* of your script
(before flushing the chains), not at the end.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
Reply to: