* newbie problem
@ 2003-02-17 7:43 Chris Barnes
2003-02-17 8:09 ` Joel Newkirk
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Chris Barnes @ 2003-02-17 7:43 UTC (permalink / raw)
To: Netfilter
[-- Attachment #1: Type: text/plain, Size: 877 bytes --]
hi people i'm new to the list.
anyway, I have a very simple firewall on a web server. I want to deny
access to everything except the web server (port 80)
i have set the poilcy on all chains to drop and i have added a rule to
the input chain which says
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
i've done it like this because the web server has 2 interfaces (eth0 and
eth1) which i would like to have access to the server (eth0 is local
10.3.2.0/24 and eth1 is external)
i also made a rule for output
iptables -A OUTPUT -p tcp -j ACCEPT
the problem is that nothing can get to the web server...the packets are
being dropped...i checked the counters and none of the rules counted any
packets or bytes so the packets are being dropped before the rules.
what am i doing wrong or what is a better way to do this?
thanks heaps for your help.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: newbie problem
2003-02-17 7:43 newbie problem Chris Barnes
@ 2003-02-17 8:09 ` Joel Newkirk
2003-02-17 10:31 ` Chris Barnes
2003-02-17 8:25 ` Ralf Spenneberg
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Joel Newkirk @ 2003-02-17 8:09 UTC (permalink / raw)
To: Chris Barnes, Netfilter
On Monday 17 February 2003 02:43 am, Chris Barnes wrote:
> hi people i'm new to the list.
>
> anyway, I have a very simple firewall on a web server. I want to deny
> access to everything except the web server (port 80)
>
> i have set the poilcy on all chains to drop and i have added a rule to
> the input chain which says
>
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> iptables -A OUTPUT -p tcp -j ACCEPT
> what am i doing wrong or what is a better way to do this?
>
> thanks heaps for your help.
You have to accept connections TO port 80, not FROM port 80...
Try these:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
They will allow clients to connect and retrieve http documents, as well
as allowing the very useful ICMP controls like source_quench
fragmentation control and such that really make web browsing work
properly, but no other communication in OR out is allowed by these
rules. (assuming DROP policy on OUTPUT) Add appropriate ACCEPT rules
to OUTPUT if the server needs to initiate connections for some reason.
j
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: newbie problem
2003-02-17 8:09 ` Joel Newkirk
@ 2003-02-17 10:31 ` Chris Barnes
0 siblings, 0 replies; 9+ messages in thread
From: Chris Barnes @ 2003-02-17 10:31 UTC (permalink / raw)
To: Netfilter
[-- Attachment #1: Type: text/plain, Size: 991 bytes --]
On Mon, 2003-02-17 at 19:09, Joel Newkirk wrote:
>
> You have to accept connections TO port 80, not FROM port 80...
>
> Try these:
>
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> They will allow clients to connect and retrieve http documents, as well
> as allowing the very useful ICMP controls like source_quench
> fragmentation control and such that really make web browsing work
> properly, but no other communication in OR out is allowed by these
> rules. (assuming DROP policy on OUTPUT) Add appropriate ACCEPT rules
> to OUTPUT if the server needs to initiate connections for some reason.
>
source_quench (sounds like a fruit juice drink :p ) and all that is
really important? hmm, i had no idea such things existed (excuse my
ignorance..newbie here).
I'll make sure i add those rules...
thanks heaps.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: newbie problem
2003-02-17 7:43 newbie problem Chris Barnes
2003-02-17 8:09 ` Joel Newkirk
@ 2003-02-17 8:25 ` Ralf Spenneberg
2003-02-20 11:39 ` Eric Constantineau
2003-02-17 9:00 ` Ralf Spenneberg
[not found] ` <1045470029.2231.54.camel@kermit.spenneberg.de>
3 siblings, 1 reply; 9+ messages in thread
From: Ralf Spenneberg @ 2003-02-17 8:25 UTC (permalink / raw)
To: netfilter
Am Mon, 2003-02-17 um 08.43 schrieb Chris Barnes:
> hi people i'm new to the list.
>
> anyway, I have a very simple firewall on a web server. I want to deny
> access to everything except the web server (port 80)
>
> i have set the poilcy on all chains to drop and i have added a rule to
> the input chain which says
>
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
>
It is --dport 80 if you want to allow packet with the destination port
80 to reach your webserver.
By the way, i hope you have not set PREROUTING and POSTROUTING to DROP,
do you?
Cheers,
Ralf
--
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
Markt+Technik Buch: Intrusion Detection für Linux
Server
IPsec/PPTP Kernels for Red Hat Linux:
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror: http://honeynet.spenneberg.org
Snort Mirror: http://snort.spenneberg.org
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: newbie problem
2003-02-17 8:25 ` Ralf Spenneberg
@ 2003-02-20 11:39 ` Eric Constantineau
0 siblings, 0 replies; 9+ messages in thread
From: Eric Constantineau @ 2003-02-20 11:39 UTC (permalink / raw)
To: Ralf Spenneberg; +Cc: netfilter
Is the web server on the same machine that is firewalling or is it behind ?
If it is behind, set it on FORWARD instead of INPUT...
The INPUT chain is for traffic entering the firewall machine itself, OUTPUT
chain is for the packets coming from the firewall machine and FORWARD is for
all other packets passing throught firewall...
Eric
Ralf Spenneberg wrote:
> Am Mon, 2003-02-17 um 08.43 schrieb Chris Barnes:
> > hi people i'm new to the list.
> >
> > anyway, I have a very simple firewall on a web server. I want to deny
> > access to everything except the web server (port 80)
> >
> > i have set the poilcy on all chains to drop and i have added a rule to
> > the input chain which says
> >
> > iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> >
> It is --dport 80 if you want to allow packet with the destination port
> 80 to reach your webserver.
>
> By the way, i hope you have not set PREROUTING and POSTROUTING to DROP,
> do you?
>
> Cheers,
>
> Ralf
>
> --
> Ralf Spenneberg
> UNIX/Linux Trainer and Consultant, RHCE, RHCX
> Waldring 34 48565 Steinfurt Germany
> Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
> Mobil: +49(0)177 567 27 40
>
> Markt+Technik Buch: Intrusion Detection für Linux
> Server
> IPsec/PPTP Kernels for Red Hat Linux:
> http://www.spenneberg.com/.net/.org/.de
> Honeynet Project Mirror: http://honeynet.spenneberg.org
> Snort Mirror: http://snort.spenneberg.org
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: newbie problem
2003-02-17 7:43 newbie problem Chris Barnes
2003-02-17 8:09 ` Joel Newkirk
2003-02-17 8:25 ` Ralf Spenneberg
@ 2003-02-17 9:00 ` Ralf Spenneberg
[not found] ` <1045470029.2231.54.camel@kermit.spenneberg.de>
3 siblings, 0 replies; 9+ messages in thread
From: Ralf Spenneberg @ 2003-02-17 9:00 UTC (permalink / raw)
To: netfilter
Am Mon, 2003-02-17 um 08.43 schrieb Chris Barnes:
> hi people i'm new to the list.
>
> anyway, I have a very simple firewall on a web server. I want to deny
> access to everything except the web server (port 80)
>
> i have set the poilcy on all chains to drop and i have added a rule to
> the input chain which says
>
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
>
It is --dport 80 if you want to allow packet with the destination port
80 to reach your webserver.
By the way, i hope you have not set PREROUTING and POSTROUTING to DROP,
do you?
Cheers,
Ralf
--
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40
Markt+Technik Buch: Intrusion Detection für Linux
Server
IPsec/PPTP Kernels for Red Hat Linux:
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror: http://honeynet.spenneberg.org
Snort Mirror: http://snort.spenneberg.org
--
Ralf Spenneberg
RHCE, RHCX
IPsec/PPTP Kernels for Red Hat Linux:
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror: http://honeynet.spenneberg.org
Snort Mirror: http://snort.spenneberg.org
^ permalink raw reply [flat|nested] 9+ messages in thread[parent not found: <1045470029.2231.54.camel@kermit.spenneberg.de>]
* RE: newbie problem
@ 2003-02-17 8:49 Eugene Joubert
2003-02-17 10:48 ` Chris Barnes
0 siblings, 1 reply; 9+ messages in thread
From: Eugene Joubert @ 2003-02-17 8:49 UTC (permalink / raw)
To: 'Chris Barnes', Netfilter
[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]
Is your webserver on your firewall?
Also your rule for port 80....you're source port is wrong. Remember if I
were to access your webpage on your server I will be coming in with a source
port that my OS has given me. So instead of source port change it to
destination port cause that is were you request is going?
Also I would suggest moving your webserver to another server behind your
firewall.
Just my 5 cents.
PS:
You could also set your OUTPUT Policy to default ACCEPT, but if your really
paranoid then just make it DROP
-----Original Message-----
From: Chris Barnes [mailto:runtimeerror@bigpond.com]
Sent: 17 02 2003 09:43 AM
To: Netfilter
Subject: newbie problem
hi people i'm new to the list.
anyway, I have a very simple firewall on a web server. I want to deny access
to everything except the web server (port 80)
i have set the poilcy on all chains to drop and i have added a rule to the
input chain which says
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
i've done it like this because the web server has 2 interfaces (eth0 and
eth1) which i would like to have access to the server (eth0 is local
10.3.2.0/24 and eth1 is external)
i also made a rule for output
iptables -A OUTPUT -p tcp -j ACCEPT
the problem is that nothing can get to the web server...the packets are
being dropped...i checked the counters and none of the rules counted any
packets or bytes so the packets are being dropped before the rules.
what am i doing wrong or what is a better way to do this?
thanks heaps for your help.
[-- Attachment #2: Type: text/html, Size: 2511 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2003-02-20 11:39 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-17 7:43 newbie problem Chris Barnes
2003-02-17 8:09 ` Joel Newkirk
2003-02-17 10:31 ` Chris Barnes
2003-02-17 8:25 ` Ralf Spenneberg
2003-02-20 11:39 ` Eric Constantineau
2003-02-17 9:00 ` Ralf Spenneberg
[not found] ` <1045470029.2231.54.camel@kermit.spenneberg.de>
[not found] ` <1045477595.21053.2.camel@billybob.back2front.homelinux.org>
2003-02-17 10:27 ` Ralf Spenneberg
-- strict thread matches above, loose matches on Subject: below --
2003-02-17 8:49 Eugene Joubert
2003-02-17 10:48 ` Chris Barnes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox