Re: iptables and nmap
On Thursday 07 June 2007 15:51, Joan Hérisson wrote:
> Hello,
>
> Config:
> - Debian 2.4.18
> - iptables with many rules
>
> Problems:
> - I have installed a tomcat 5.5 server. The server is unreachable
> (connection failed from locahost or another host on my local network).
>
> Tries:
> - I have to open port 8080. I have this rule in /etc/init.d.firewal-start :
> "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed"
> where eth0 is the way toward the internet.
> So I added this rule :
> "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed"
> where eth1 is the way toward my local network
Hello,
it seems that you are using some firewall script which uses a lot of user
defined chains: tcp_packets, allowed. Without understanding which packets get
filtered by chain tcp_packets and what is happening in chain allowed, it is
hard to guess what's wrong. Try this:
iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT
I suspect that you are using some firewall script made by someone else, and
that script is too complicated to understand for anyone else than author.
IMHO it's always better to make your own script that has only the rules you
really need and understand.
> Results:
> - The server is still unreachable.
> - When I do nmap localhost, I have port 80 open but not 8080.
> - When I comment out the line for port 80 in firewall-start and I
> restart firewall, I do nmap localhost, port 80 is still open.
>
> I do not find the link between iptables rules and nmap.
> Some ideas ?
nmap shows you the reality defined by iptables. If nmap shows something
different than you expected, it just means you do not understand how iptables
work. You should visit http://www.netfilter.org/ and read man iptables.
--
S pozdravem
Vladislav Kurz
=== WebStep, s.r.o. (Ltd.) ========= a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net ======= vladislav.kurz@webstep.net ===
Reply to: