[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall problems killing tomcat and apache

On 03/15/2008 08:00 AM, Adam Hardy wrote:

Mumia W.. on 15/03/08 05:25, wrote:

On 03/14/2008 07:22 AM, Adam Hardy wrote:
I'm setting up a server which is a DNS server and broadband gateway for a small LAN, having two NICs with one connected to the DSL modem.
It's got dnsmasq and iptables. I'm saying that because I think it's the firewall causing the problem, but I don't know for sure or why.
I am trying to run apache and tomcat servers to serve content and apps for the internal LAN, and not externally.
Apache runs fine, but tomcat is very slow to load (3 mins) when it should be 1 or 2 seconds. It is also not possible to shut tomcat down - it makes the 'tomcat5.5 stop' command hang.
I know tomcat needs ports 8009, 8080 and 8443 by default, and I studied my iptables script (build by fwbuilder) but it looks fine.
Hopefully this is a common problem, but I've included my iptables output below just in case. 

Thanks for any advice,
Adam
[...]
I'm not a firewalling expert, but I've always found it quite helpful to allow connections from the localhost to go through the firewall, e.g.: 

/sbin/iptables -A INPUT -i lo -j ACCEPT
Some programs require access to DNS or other local services, and tomcat may be one of them. I remember Netscape used to do IPC through TCP/IP connections to localhost.
The first rule I've got is accepts RELATED and ESTABLISHED states for lo doesn't it? Correct me if 0.0.0.0/0 isn't lo. (or is it the IP equivalent of 'everything'?) 

A bit further down I accept state NEW for the same.

Is there anything more for that?


Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 
DROP       0    --  86.129.117.158       0.0.0.0/0
DROP       0    --  192.168.0.2          0.0.0.0/0
DROP       0    --  192.168.0.0/24       0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state NEW



Ahh.


Cid46260D13.0  0    --  192.168.0.0/24       0.0.0.0/0           state NEW
Cid46260D1E.0  udp  --  0.0.0.0/0            0.0.0.0/0           udp multiport dports 68,67 state NEW
Cid46260D1E.2  0    --  0.0.0.0/0            255.255.255.255     state NEW
Cid46260D34.0  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 state NEW
Cid46260D34.0  udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 state NEW
ACCEPT     0    --  192.168.0.0/24       0.0.0.0/0           state NEW
Cid462610E7.1  0    --  0.0.0.0/0            192.168.0.0/24      state NEW
DROP       0    --  0.0.0.0/0            86.129.117.158
DROP       0    --  0.0.0.0/0            192.168.0.2
DROP       0    --  0.0.0.0/0            0.0.0.0/0
I didn't see the NEW at first. And yes, 0.0.0.0/0 means to select "any" IP address. If you wanted to allow the loopback IP address you would do this: 

/sbin/iptables -A INPUT -p tcp -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 127.0.0.1 -j ACCEPT
However, I've read that selecting the loopback device by its interface "-i lo" is better for security.
Nonetheless, I can't see why it isn't working. Perhaps change the DROPs above to REJECTs and see if tomcat fails more quickly. You can also use the LOG target to get useful messages into the syslog. That should help you find out to which chains your packets are going before they are dropped.
Reply to: