Re: Apache and iptables

To: debian-firewall@lists.debian.org
Cc: "fleky" <fpalenzuela@gmail.com>
Subject: Re: Apache and iptables
From: "JM" <jmm19@humboldt.edu>
Date: Thu, 2 Jun 2005 22:48:55 -0700 (PDT)
Message-id: <[🔎] 64793.68.124.79.187.1117777735.squirrel@68.124.79.187>
In-reply-to: <[🔎] 7ffb7d120506021017217dd79@mail.gmail.com>
References: <[🔎] 65160.68.124.79.187.1117635575.squirrel@68.124.79.187> <[🔎] 20050602114247.A7086@planetcobalt.net> <[🔎] 7ffb7d120506021017217dd79@mail.gmail.com>

I understand what you are saying and it makes sense, however everything is
the same (the same with the other advices, thanks nonetheless).  It is
strange because once iptables is not running apache can be accessed from
the net.  So something is not making iptables do the job right.  These
rules should do the job...


> Try to use this:
>
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -J ACCEPT
>
> I think the problem is you are not telling to iptables how go out.
>
> In spanish: No tienes has especificado que tiene que hacer o por donde
> han de ir los paquetes de vuelta.
>
> Regards,
>  Fleky
>
>
> 2005/6/2, Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>:
>> On 2005-06-01 JM wrote:
>> > This is a configuration that is not working with apache after some
>> > upgrades to the system.  If turning off iptables, apache is
>> allowed.The
>> > syntax appears OK.  Amule with id also not working.
>> > Here is the configuration:
>> > ############################################
>> > iptables -F
>> > iptables -t nat -F
>> >
>> > iptables -A INPUT -s 127.0.0.1 -j ACCEPT
>> > iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
>> >
>> >
>> > #X
>> > iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 6000:6005 -j DROP
>> > iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 6000:6005 -j DROP
>> >
>> > #ICMP
>> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 8 -j DROP
>> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 0 -m limit --limit 1/s
>> -j ACCEPT
>> > iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
>>
>> Because of the third ICMP rule, the second one is pointless.
>>
>> > #lo mio OK
>> > iptables -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j
>> ACCEPT
>> > iptables -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j
>> ACCEPT
>>
>> You need to allow ESTABLISHED,RELATED traffic in the OUTPUT chain as
>> well. That's most likely the source of your problem.
>>
>> > #todo desde fuera KO
>> > iptables -A INPUT -m state --state NEW,INVALID -j DROP
>> >
>> > #apache
>> > iptables -A INPUT -s 0.0.0.0/0 -p tcp -i eth0 --dport 80 -j ACCEPT
>>
>> Is eth0 your "external" interface?
>>
>> > #amule
>> > iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
>> > iptables -A INPUT -p udp --dport 4665 -j ACCEPT
>> > iptables -A INPUT -p udp --dport 4672 -j ACCEPT
>> >
>> > iptables -P INPUT DROP
>> > iptables -P FORWARD ACCEPT
>> > iptables -P OUTPUT ACCEPT
>>
>> The default policies should be set at the *beginning* of your script
>> (before flushing the chains), not at the end.
>>
>> Regards
>> Ansgar Wiechers
>> --
>> "All vulnerabilities deserve a public fear period prior to patches
>> becoming available."
>> --Jason Coombs on Bugtraq
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>>
>>
>
>


-- 
-JM. ?Estos días azules y este sol de la infancia ?(Antonio Machado-1939)

Reply to:

Follow-Ups:
- Re: Apache and iptables
  - From: Tinus Nijmeijers <mlists@deephosting.com>
- Re: Apache and iptables
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Apache and iptables
  - From: Charles Kidson <charles.kidson@generalpants.com.au>

References:
- Apache and iptables
  - From: "JM" <jmm19@humboldt.edu>
- Re: Apache and iptables
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Apache and iptables
  - From: fleky <fpalenzuela@gmail.com>

Prev by Date: Re: Apache and iptables
Next by Date: Re: Apache and iptables
Previous by thread: Re: Apache and iptables
Next by thread: Re: Apache and iptables
Index(es):
- Date
- Thread