I dont know how to forward port 80

I dont know how to forward port 80

[Micah James Sergey]

hello, i have my computer hooked up through a router and would like to 
use my computer as a server. ive set up the router so it forwards port 
80 to the to-be server. however, i have no idea how to set up the 
iptables so the server accepts stuff. id really appreciate it if someone 
would send me the commands for doing so. it'd also be nice if they could 
explain what each line does.

Re: I dont know how to forward port 80

[Jason Opperisano]

On Thu, 2005-02-10 at 07:34, Micah James Sergey wrote:
> hello, i have my computer hooked up through a router and would like to 
> use my computer as a server. ive set up the router so it forwards port 
> 80 to the to-be server. however, i have no idea how to set up the 
> iptables so the server accepts stuff. id really appreciate it if someone 
> would send me the commands for doing so. it'd also be nice if they could 
> explain what each line does.

might i suggest a perusal of:

  http://iptables-tutorial.frozentux.net/iptables-tutorial.html

that way--you don't have to rely on what we tell you.

but since we're in the age of "instant gratification is too slow" i'll
take a stab at it...

if i understand you correctly--you have a router (not running iptables)
that is forwarding port 80 to $INSIDE_MACHINE_IP and you're running
iptables on $INSIDE_MACHINE and need to know how to allow port 80
traffic in to it.  if that's correct:

  # start fresh--flush all rules and set filter policies to ACCEPT
  for t in mangle nat filter; do
    iptables -t $t -F
    iptables -t $t -X
    iptables -t $t -Z
  done
  for c in INPUT OUTPUT FORWARD; do
    iptables -P $c ACCEPT
  done

  # set the INPUT policy to DROP
  iptables -P INPUT DROP

  # allow input packets that are part of an established connection
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # allow HTTP requests in
  iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT

  # more rules, depending on your setup
  [ ... ]

  # allow loopback traffic
  iptables -A INPUT -i lo -j ACCEPT

  # log anything which is about to dropped by the chain policy
  iptables -A INPUT -m limit --limit 12/min --limit-burst 3 \
    -j LOG --log-prefix "FW DROP INPUT: "

-j

--
"Look, just give me some inner peace, or I'll mop the floor with ya!"
	--The Simpsons

Re: I dont know how to forward port 80

[Jose Maria Lopez Hernandez]

El vie, 11-02-2005 a las 08:24 -0500, Jason Opperisano escribió:
>   # allow input packets that are part of an established connection
>   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
>   # allow HTTP requests in
>   iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT

Sorry, I've seen in some of your answers that you never use
-m state --state NEW. Could you tell me why? I am updating
my firewall and I'm very confused with this, because you
seem to know everything about Netfilter and iptables, and
I am using the NEW state in all my rules. Should I do it
or should I not? And by the way, should I use the --syn
flag?

Thanks and Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: I dont know how to forward port 80

[Jason Opperisano]

On Sun, 2005-02-13 at 07:28, Jose Maria Lopez Hernandez wrote:
> El vie, 11-02-2005 a las 08:24 -0500, Jason Opperisano escribió:
> >   # allow input packets that are part of an established connection
> >   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > 
> >   # allow HTTP requests in
> >   iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
> 
> Sorry, I've seen in some of your answers that you never use
> -m state --state NEW. Could you tell me why? 

for the sake of clarity.  when someone asks, "how do i allow http into
my machine" it seems clearer to say:

  iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT

rather than:

  iptables -A INPUT -m state --state NEW -p tcp --syn \
    --sport 1024:65535 --dport 80 -j ACCEPT

you're not going to make me add a disclaimer to all my posts that says
"any rules are included to clarify a point of discussion.  do not use
the rules posted without understanding the full security implications of
such an act.  firewall rules lasting more than four hours require
medical attention."

> I am updating
> my firewall and I'm very confused with this, because you
> seem to know everything about Netfilter and iptables,

heh heh--thanks, i needed a laugh.

>  and
> I am using the NEW state in all my rules. Should I do it
> or should I not? 

i do.

> And by the way, should I use the --syn
> flag?

i do.

-j

--
"I'm not a bad guy! I work hard, and I love my kids. So why should
 I spend half my Sunday hearing about how I'm going to Hell?"
	--The Simpsons

Re: I dont know how to forward port 80

[Jose Maria Lopez Hernandez]

El lun, 14-02-2005 a las 17:32 -0500, Jason Opperisano escribió:
> for the sake of clarity.  when someone asks, "how do i allow http into
> my machine" it seems clearer to say:
> 
>   iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
> 
> rather than:
> 
>   iptables -A INPUT -m state --state NEW -p tcp --syn \
>     --sport 1024:65535 --dport 80 -j ACCEPT
> 
> you're not going to make me add a disclaimer to all my posts that says
> "any rules are included to clarify a point of discussion.  do not use
> the rules posted without understanding the full security implications of
> such an act.  firewall rules lasting more than four hours require
> medical attention."

Thanks for the info. I was really bothered by this matter. I thought
it was OK, but after reading your posts I was really confused.

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"