Redhat 8.0 with Iptables and Cisco 2514

Redhat 8.0 with Iptables and Cisco 2514

[JUSTIN GERRY]

Trying to figure out why, when I enable the firewall on my cisco (which
is a state checking firewall) and I have my iptables (also state
checking) firewall enabled on my redhat box I can not establish a
connection with with my website (either website one as I have two
interfaces and I am using apache to host both)

It almost seems as if the cisco is destroying the incoming connection
(probably the outgoing response because I can see people connecting to
my box) before my box has a chance to send out a response.

If I run no firewall on my redhat box and leave the firewall up on my
cisco then you can access my website normally. 

If anyone has had this problem please let me know.

FYI, my simple firewall test:

F1="eth0"
IF2="eth1"
IP2="xxx" #(real ip address hidden)
IP1="xxx" #(real ip address hidden)
UNPRIVPORTS="1024:65535"

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -p tcp --sport $UNPRIVPORTS \
--dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Many thanks,
Justin

Re: Redhat 8.0 with Iptables and Cisco 2514

[Joel Newkirk]

On Tuesday 07 January 2003 04:32 pm, JUSTIN GERRY wrote:
> Trying to figure out why, when I enable the firewall on my cisco
> (which is a state checking firewall) and I have my iptables (also
> state checking) firewall enabled on my redhat box I can not establish
> a connection with with my website (either website one as I have two
> interfaces and I am using apache to host both)
>
> It almost seems as if the cisco is destroying the incoming connection
> (probably the outgoing response because I can see people connecting to
> my box) before my box has a chance to send out a response.
>
> If I run no firewall on my redhat box and leave the firewall up on my
> cisco then you can access my website normally.

What about the reverse?  If the cisco's firewalling is disabled, but 
iptables in use, can you connect?

> If anyone has had this problem please let me know.
>
> FYI, my simple firewall test:
>
> F1="eth0"
> IF2="eth1"
> IP2="xxx" #(real ip address hidden)
> IP1="xxx" #(real ip address hidden)
> UNPRIVPORTS="1024:65535"
>
> iptables -F
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> iptables -A INPUT -p tcp --sport $UNPRIVPORTS \
> --dport 80 -m state --state NEW -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

If the answer above is "it works", then what if you loosen the NEW rule 
in INPUT?  Try:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

with the cisco's firewall enabled.  If this fails, I suspect the cisco's 
configuration is blocking outbound replies, so you'd have to dig there. 
A quick test with logging in INPUT and OUTPUT chains would tell you if 
the request is actually reaching your machine, and being responded to 
properly.  Just add a log rule at the start and the end of each of those 
two chains, with distinct '--log-prefix' strings, and make sure you log 
from the first and ONLY the first one in each chain.  The first log 
tells you it hits the chain, the second that it hits the DROP policy.

j

> Many thanks,
> Justin