opening connection for Tomcat

opening connection for Tomcat

[Gianni Pucciani]

Hi all,
I was in trouble opening a port for services with tomcat:
Is this rule right? I'm behind an adsl router that forward every 
connection on port 8080 to <myprivateip>.

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m 
state --state NEW -j ACCEPT

Re: opening connection for Tomcat

[ro0ot]

You should only have this below: -

iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -m state --state 
NEW -j ACCEPT

or

iptables -A INPUT -p tcp -s 0.0.0.0/0 --sport 1024: -d <myprivateip> 
--dport 8080 -m state --state NEW -j ACCEPT

Regards,
ro0ot

Gianni Pucciani wrote:

> Hi all,
> I was in trouble opening a port for services with tomcat:
> Is this rule right? I'm behind an adsl router that forward every 
> connection on port 8080 to <myprivateip>.
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m 
> state --state NEW -j ACCEPT
>
>
>
>

Re: opening connection for Tomcat

[Alexis]

you must change to OUTPUT the first rule at least. you're filtering all
outgoing packets.


----- Original Message ----- 
From: "Gianni Pucciani" <gp.puccio@tin.it>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, April 08, 2004 12:13 PM
Subject: opening connection for Tomcat


> Hi all,
> I was in trouble opening a port for services with tomcat:
> Is this rule right? I'm behind an adsl router that forward every
> connection on port 8080 to <myprivateip>.
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m
> state --state NEW -j ACCEPT
>
>
>
>

Re: opening connection for Tomcat

[Rob Sterenborg]

On Thu, 2004-04-08 at 18:30, Alexis wrote:
> you must change to OUTPUT the first rule at least. you're filtering all
> outgoing packets.
> 

In these rules I only see policy ACCEPT for the OUTPUT chain, so IMHO
there's no filtering there.

> > Hi all,
> > I was in trouble opening a port for services with tomcat:
> > Is this rule right? I'm behind an adsl router that forward every
> > connection on port 8080 to <myprivateip>.
> >
> > iptables -P INPUT DROP
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m
> > state --state NEW -j ACCEPT

Is your Tomcat listening on 8080/tcp ? (netstat -an|grep 8080)
Are you sure that your router is forwarding all connections ?

Check with a logging rule between the -m state and the -p tcp rules to
see what's going on (if there is) :

iptables -A INPUT -j LOG --log-prefix "_ipt:check"


Gr,
Rob

Re: opening connection for Tomcat

[Gianni Pucciani]

Alexis wrote:

>you must change to OUTPUT the first rule at least. you're filtering all
>outgoing packets.
>  
>
? The output chain has the ACCEPT policy, no packets are filtered, isn't it?

Gianni

>
>----- Original Message ----- 
>From: "Gianni Pucciani" <gp.puccio@tin.it>
>To: <netfilter@lists.netfilter.org>
>Sent: Thursday, April 08, 2004 12:13 PM
>Subject: opening connection for Tomcat
>
>
>  
>
>>Hi all,
>>I was in trouble opening a port for services with tomcat:
>>Is this rule right? I'm behind an adsl router that forward every
>>connection on port 8080 to <myprivateip>.
>>
>>iptables -P INPUT DROP
>>iptables -P OUTPUT ACCEPT
>>iptables -P FORWARD DROP
>>
>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m
>>state --state NEW -j ACCEPT
>>
>>
>>
>>
>>    
>>
>
>
>
>  
>

Re: opening connection for Tomcat

[Alexis]

sorry, its true, my mistake


----- Original Message ----- 
From: "Rob Sterenborg" <rob@sterenborg.info>
To: "Netfilter" <netfilter@lists.netfilter.org>
Sent: Thursday, April 08, 2004 2:50 PM
Subject: Re: opening connection for Tomcat


> On Thu, 2004-04-08 at 18:30, Alexis wrote:
> > you must change to OUTPUT the first rule at least. you're filtering all
> > outgoing packets.
> > 
> 
> In these rules I only see policy ACCEPT for the OUTPUT chain, so IMHO
> there's no filtering there.
> 
> > > Hi all,
> > > I was in trouble opening a port for services with tomcat:
> > > Is this rule right? I'm behind an adsl router that forward every
> > > connection on port 8080 to <myprivateip>.
> > >
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT ACCEPT
> > > iptables -P FORWARD DROP
> > >
> > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m
> > > state --state NEW -j ACCEPT
> 
> Is your Tomcat listening on 8080/tcp ? (netstat -an|grep 8080)
> Are you sure that your router is forwarding all connections ?
> 
> Check with a logging rule between the -m state and the -p tcp rules to
> see what's going on (if there is) :
> 
> iptables -A INPUT -j LOG --log-prefix "_ipt:check"
> 
> 
> Gr,
> Rob
> 
> 
> 
> 

Re: opening connection for Tomcat

[Gianni Pucciani]

Ok, I've fixed the problem: it seems that the address 0.0.0.0 is no good.

Many thanks

Gianni
Rob Sterenborg wrote:

>On Thu, 2004-04-08 at 18:30, Alexis wrote:
>  
>
>>you must change to OUTPUT the first rule at least. you're filtering all
>>outgoing packets.
>>
>>    
>>
>
>In these rules I only see policy ACCEPT for the OUTPUT chain, so IMHO
>there's no filtering there.
>
>  
>
>>>Hi all,
>>>I was in trouble opening a port for services with tomcat:
>>>Is this rule right? I'm behind an adsl router that forward every
>>>connection on port 8080 to <myprivateip>.
>>>
>>>iptables -P INPUT DROP
>>>iptables -P OUTPUT ACCEPT
>>>iptables -P FORWARD DROP
>>>
>>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m
>>>state --state NEW -j ACCEPT
>>>      
>>>
>
>Is your Tomcat listening on 8080/tcp ? (netstat -an|grep 8080)
>Are you sure that your router is forwarding all connections ?
>
>Check with a logging rule between the -m state and the -p tcp rules to
>see what's going on (if there is) :
>
>iptables -A INPUT -j LOG --log-prefix "_ipt:check"
>
>
>Gr,
>Rob
>
>
>
>
>  
>

Re: opening connection for Tomcat

[Antony Stone]

On Thursday 08 April 2004 9:13 pm, Gianni Pucciani wrote:

> Ok, I've fixed the problem: it seems that the address 0.0.0.0 is no good.

You are certainly very unlikely to receive packets from that address, as it 
does not exist.

Regards,

Antony.

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

Re: opening connection for Tomcat

[Frank Gruellich]

* Antony Stone <Antony@Soft-Solutions.co.uk>  8. Apr 04:
> On Thursday 08 April 2004 9:13 pm, Gianni Pucciani wrote:
> > Ok, I've fixed the problem: it seems that the address 0.0.0.0 is no good.

I think you meant something like "0.0.0.0/0.0.0.0" or its alias
"0.0.0.0/0" or its alias "0/0" or its alias "".  So, omit it.

> You are certainly very unlikely to receive packets from that address, as it 
> does not exist.

hydra:~# zgrep 'SRC=0\.0\.0\.0' /var/log/kern.log.1.gz |wc -l
     28

Dhcp-clients use it when discovering.  But not to port 8080.

 Regards, Frank.
-- 
Sigmentation fault

Re: opening connection for Tomcat

[Alexis]

oh, i thought you mean all addresses with 0.0.0.0 (as an example) and not
you was setting the rule with explicilt 0.0.0.0

doing this, you are saying 0.0.0.0/32 , this means only this IP address. For
match all ip addresses, leave the modif (-d) without set or use 0.0.0.0/0


regards

----- Original Message ----- 
From: "Gianni Pucciani" <gp.puccio@tin.it>
To: "Rob Sterenborg" <rob@sterenborg.info>
Cc: "Netfilter" <netfilter@lists.netfilter.org>
Sent: Thursday, April 08, 2004 5:13 PM
Subject: Re: opening connection for Tomcat


> Ok, I've fixed the problem: it seems that the address 0.0.0.0 is no good.
>
> Many thanks
>
> Gianni
> Rob Sterenborg wrote:
>
> >On Thu, 2004-04-08 at 18:30, Alexis wrote:
> >
> >
> >>you must change to OUTPUT the first rule at least. you're filtering all
> >>outgoing packets.
> >>
> >>
> >>
> >
> >In these rules I only see policy ACCEPT for the OUTPUT chain, so IMHO
> >there's no filtering there.
> >
> >
> >
> >>>Hi all,
> >>>I was in trouble opening a port for services with tomcat:
> >>>Is this rule right? I'm behind an adsl router that forward every
> >>>connection on port 8080 to <myprivateip>.
> >>>
> >>>iptables -P INPUT DROP
> >>>iptables -P OUTPUT ACCEPT
> >>>iptables -P FORWARD DROP
> >>>
> >>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>iptables -A INPUT -p tcp -d <myprivateip> --dport 8080 -s 0.0.0.0 -m
> >>>state --state NEW -j ACCEPT
> >>>
> >>>
> >
> >Is your Tomcat listening on 8080/tcp ? (netstat -an|grep 8080)
> >Are you sure that your router is forwarding all connections ?
> >
> >Check with a logging rule between the -m state and the -p tcp rules to
> >see what's going on (if there is) :
> >
> >iptables -A INPUT -j LOG --log-prefix "_ipt:check"
> >
> >
> >Gr,
> >Rob
> >
> >
> >
> >
> >
> >
>
>
>

Re: opening connection for Tomcat

[Gianni Pucciani]

Antony Stone wrote:
> On Thursday 08 April 2004 9:13 pm, Gianni Pucciani wrote:
> 
> 
>>Ok, I've fixed the problem: it seems that the address 0.0.0.0 is no good.
> 
> 
> You are certainly very unlikely to receive packets from that address, as it 
> does not exist.

Well, I'm not a firewall guru, but I think that 0.0.0.0 address is often 
used to indicate "every address", isn't it?

Gianni
> 
> Regards,
> 
> Antony.
> 

Re: opening connection for Tomcat

[giorgio.zarrelli]

Hi,

> Well, I'm not a firewall guru, but I think that 0.0.0.0 address is often
> used to indicate "every address", isn't it?

Yes, it is.

E' una convenzione utilizzata.

Ciao

Giorgio Zarrelli

Re: opening connection for Tomcat

[Rob Sterenborg]

> >>Ok, I've fixed the problem: it seems that the address 0.0.0.0 is no
good.
> >
> >
> > You are certainly very unlikely to receive packets from that address, as
it
> > does not exist.
>
> Well, I'm not a firewall guru, but I think that 0.0.0.0 address is often
> used to indicate "every address", isn't it?

Neither am I ;o). I overlooked that one too.

0.0.0.0 = 0.0.0.0/32. 0.0.0.0 as a host does not exist.
What you meant is 0.0.0.0/0, which is the same as not specifying it.


Gr,
Rob

Re: opening connection for Tomcat

[Alexis]

using the correct mask it is.


----- Original Message ----- 
From: "Gianni Pucciani" <gp.puccio@tin.it>
To: "Netfilter" <netfilter@lists.netfilter.org>
Sent: Friday, April 09, 2004 3:28 AM
Subject: Re: opening connection for Tomcat


> Antony Stone wrote:
> > On Thursday 08 April 2004 9:13 pm, Gianni Pucciani wrote:
> >
> >
> >>Ok, I've fixed the problem: it seems that the address 0.0.0.0 is no
good.
> >
> >
> > You are certainly very unlikely to receive packets from that address, as
it
> > does not exist.
>
> Well, I'm not a firewall guru, but I think that 0.0.0.0 address is often
> used to indicate "every address", isn't it?
>
> Gianni
> >
> > Regards,
> >
> > Antony.
> >
>
>
>
>

Re: opening connection for Tomcat

[Antony Stone]

On Friday 09 April 2004 7:56 am, giorgio.zarrelli@mammaitalia.com wrote:

> Hi,
>
> > Well, I'm not a firewall guru, but I think that 0.0.0.0 address is often
> > used to indicate "every address", isn't it?
>
> Yes, it is.

"0.0.0.0" is very different from "0.0.0.0/0".

The first means "one specific IP address, which you will never find on a real 
device".

The second means "any IP address at all".

The reason is simply because if you do not specify a netmask, /32 is assumed, 
which means all bits must match exactly.   On the other hand /0 means that no 
bits have to match at all (which is why 0.0.0.0/0 corresponds to all 
addresses).

Regards,

Antony.

-- 
If you can't find an Open Source solution for it, then it isn't a real 
problem.

                                                     Please reply to the list;
                                                           please don't CC me.