Re: Apache and iptables

To: debian-firewall@lists.debian.org
Subject: Re: Apache and iptables
From: "JM" <jmm19@humboldt.edu>
Date: Sun, 5 Jun 2005 20:13:07 -0700 (PDT)
Message-id: <[🔎] 65266.68.123.141.83.1118027587.squirrel@68.123.141.83>
In-reply-to: <[🔎] 7ffb7d120506021017217dd79@mail.gmail.com>
References: <[🔎] 65160.68.124.79.187.1117635575.squirrel@68.124.79.187> <[🔎] 20050602114247.A7086@planetcobalt.net> <[🔎] 7ffb7d120506021017217dd79@mail.gmail.com>

Thanks this plus reversing the rules for apache solved the problem.
> Try to use this:
>
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -J ACCEPT
>
> I think the problem is you are not telling to iptables how go out.
>
> In spanish: No tienes has especificado que tiene que hacer o por donde
> han de ir los paquetes de vuelta.
>
> Regards,
>  Fleky
>
>
> 2005/6/2, Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>:
>> On 2005-06-01 JM wrote:
>> > This is a configuration that is not working with apache after some
>> > upgrades to the system.  If turning off iptables, apache is
>> allowed.The
>> > syntax appears OK.  Amule with id also not working.
>> > Here is the configuration:
>> > ############################################
>> > iptables -F
>> > iptables -t nat -F
>> >
>> > iptables -A INPUT -s 127.0.0.1 -j ACCEPT
>> > iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
>> >
>> >
>> > #X
>> > iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 6000:6005 -j DROP
>> > iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 6000:6005 -j DROP
>> >
>> > #ICMP
>> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 8 -j DROP
>> > iptables -A INPUT -i eth0 -p ICMP --icmp-type 0 -m limit --limit 1/s
>> -j ACCEPT
>> > iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
>>
>> Because of the third ICMP rule, the second one is pointless.
>>
>> > #lo mio OK
>> > iptables -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j
>> ACCEPT
>> > iptables -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j
>> ACCEPT
>>
>> You need to allow ESTABLISHED,RELATED traffic in the OUTPUT chain as
>> well. That's most likely the source of your problem.
>>
>> > #todo desde fuera KO
>> > iptables -A INPUT -m state --state NEW,INVALID -j DROP
>> >
>> > #apache
>> > iptables -A INPUT -s 0.0.0.0/0 -p tcp -i eth0 --dport 80 -j ACCEPT
>>
>> Is eth0 your "external" interface?
>>
>> > #amule
>> > iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
>> > iptables -A INPUT -p udp --dport 4665 -j ACCEPT
>> > iptables -A INPUT -p udp --dport 4672 -j ACCEPT
>> >
>> > iptables -P INPUT DROP
>> > iptables -P FORWARD ACCEPT
>> > iptables -P OUTPUT ACCEPT
>>
>> The default policies should be set at the *beginning* of your script
>> (before flushing the chains), not at the end.
>>
>> Regards
>> Ansgar Wiechers
>> --
>> "All vulnerabilities deserve a public fear period prior to patches
>> becoming available."
>> --Jason Coombs on Bugtraq
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>>
>>
>
>


-- 
-JM. ?Estos días azules y este sol de la infancia ?(Antonio Machado-1939)

Reply to:

References:
- Apache and iptables
  - From: "JM" <jmm19@humboldt.edu>
- Re: Apache and iptables
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Apache and iptables
  - From: fleky <fpalenzuela@gmail.com>

Prev by Date: Re: Apache and iptables
Next by Date: Photos, drawings, graphics...learn to create them...then share them all...
Previous by thread: Re: Apache and iptables
Next by thread: brusquement les WindowsXPro and Office eq 80dolrs
Index(es):
- Date
- Thread