#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    10
    Rep Power
    0

    Question How to open firewall for apache


    I setup apache to serve a LAN and client browsers on the LAN can only access web content when the firewall on the server is disabled.

    Here is my /etc/sysconfig/iptables:

    # Generated by iptables-save v1.4.9 on Tue Oct 25 00:06:44 2011
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Tue Oct 25 00:06:44 2011
  2. #2
  3. Jealous Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,303
    Rep Power
    9400
    iptables processes rules from top to bottom (unless it jumps) so if you have a universal -j REJECT then no other rules below it will take effect.

    With that in mind, look at
    Code:
    -A INPUT -j REJECT --reject-with icmp-host-prohibited 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

    Comments on this post

    • Joe Axford agrees
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2009
    Location
    Nebraska, USA
    Posts
    876
    Rep Power
    276
    from what I can see in your iptables-save file, you actually have INPUT, OUTPUT, and FORWARD set as ACCEPT for its default state, which should allow all activity into your server from the outside without you adding any other rules.
    For security purposes, you actually want to set default state of INPUT to DROP and then set which ports you want to ACCEPT afterwards.

    as requinix already showed you, that REJECT rule will definitely stop your traffic before your port 80 rule gets parsed.

    Comments on this post

    • Joe Axford agrees
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    10
    Rep Power
    0
    Originally Posted by requinix
    iptables processes rules from top to bottom (unless it jumps) so if you have a universal -j REJECT then no other rules below it will take effect.

    With that in mind, look at
    Code:
    -A INPUT -j REJECT --reject-with icmp-host-prohibited 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    After deleting the REJECT line my LAN clients are now able to browse my Intranet with firewall enabled.

    Thank you.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    10
    Rep Power
    0
    Originally Posted by DonR
    from what I can see in your iptables-save file, you actually have INPUT, OUTPUT, and FORWARD set as ACCEPT for its default state, which should allow all activity into your server from the outside without you adding any other rules.
    For security purposes, you actually want to set default state of INPUT to DROP and then set which ports you want to ACCEPT afterwards.

    as requinix already showed you, that REJECT rule will definitely stop your traffic before your port 80 rule gets parsed.
    I am new to linux and web development, and am concentrating on linux basics, perl, cgi, dbi, apache, mysql and modperl. Right away I discovered that I know nothing about iptables and that it is important for me to learn about them, but I am prioritizing my efforts and am putting off my studies of iptables for now. I know there is a lot on the Internet about them, and perhaps I should take a few hours and see if I can make sense of them, but I am guessing a few hours may not be enough for me. Any comment or suggestions about particular books or tutorials online? I am using fedora 14. I feel that even if I did understand iptables I don't know enough about my system to know which ports to open up, etc. This is why I am learning this stuff with an Intranet, so I don't need to worry so much about security. It would be nice to understand what I am starting with here though, is this what you have in mind? My clients are able to browse the Intranet with this:

    # Generated by iptables-save v1.4.9 on Tue Oct 25 00:06:44 2011
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Tue Oct 25 00:06:44 2011
  10. #6
  11. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,453
    Rep Power
    4539
    If you use linux with a gui, you can use the gui firewall tool to set up your firewall, then do iptables -L to look at the results

    Keep in mind there are alternative firewalls rather than iptables. I use ispconfig as a web control panel and it provides it's own firewall (using bastille-firewall I think).

    Comments on this post

    • Joe Axford agrees
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    10
    Rep Power
    0
    Thanks for your suggestion. I knew I have a gui-tool to setup a firewall and have considered using it and I may end up doing so.

    How true your statement about politicians is. I have a little blues that I shout out when I get the chance, a little of it goes:

    the democrats, republicans
    both give you their word
    they say they are something different but
    they're opposite ends of the same turd

    they show you one side of things
    it's red white and blue
    rounding up the bewildered herd
    in all that they do

    Back when the little shrub was puppet in chief I would shout out:

    you got to trust the president
    he knows more than you do
    give him everything he wants
    and kiss his butt too!

    Can't say this any more with nobama. Those repugnant republicans used war propaganda pretty effectively and perhaps got as much yardage as anybody could for awhile, seems the dumbocrats don't have that leverage. Now the repugnantans main objective is clearly to get their own back into the hot seat, although I would say they should really not care so much, obama has given them about everything they want.

    I see these lying scoundrels putting on this big show to the public, these spats they get into, then they go back behind close doors and sip brandy and smoke cigars together and laugh about the smoke and mirrors. People eat it up!

    Thanks again for your suggestion.
  14. #8
  15. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,453
    Rep Power
    4539
    Thanks for your suggestion. I knew I have a gui-tool to setup a firewall and have considered using it and I may end up doing so.
    I was only suggesting you use the gui setup tool to provide education on what you need to add from the command line, not necessarily to use it as your primary setup tool.

    If you use Fedora there is a curses-based firewall tool available, simply run 'setup' as root. This is Red-Hat specific though.

    And non-linux commentary doesn't really belong in posts in the linux forum.

    Comments on this post

    • Joe Axford agrees
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    10
    Rep Power
    0

    Red face


    Originally Posted by Doug G
    I was only suggesting you use the gui setup tool to provide education on what you need to add from the command line, not necessarily to use it as your primary setup tool.

    If you use Fedora there is a curses-based firewall tool available, simply run 'setup' as root. This is Red-Hat specific though.

    And non-linux commentary doesn't really belong in posts in the linux forum.
    whoops, sorry about the infraction, thank you for telling me, and thanks for the clarification about the gui setup tool.

IMN logo majestic logo threadwatch logo seochat tools logo