can't access site if firewall turn on

[akgta]

We have a CentOS 5.3 server, we have tried opening ports 80 and 53 on the iptables firewall by placing the following code lines in /etc/sysconfig/iptables above the reject and commit lines and restarted it, still can't access the website.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT

If we turn the iptables firewall off we can see the website on a client browser.

Please help, thanks in advance.

 

[ZaSter]

Try moving the lines BELOW the reject lines and restart iptables.

 

[popasmuerf]

If the above doesn't work....flush iptables and then add each rule line one at a time and then test. This is assuming that you have relatively few lines.

 

[BadBigBen]

May give you some info and how to:

Firewall Configuration Howto for RHEL/CentOS 5

http://www.linuxmail.info/firewall-configuration-centos-5/

29.7. Firewall Configuration

http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-redhat-config-kickstart-firewall.html

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

 

[IRudebwoy]

I've always defined an interface to "bind" my rule to. And I think removing "-m state --state NEW -m tcp" won't hurt either.

-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT

Unless you want to do something like this. Which is just as good as the first line. I like the first one better.

-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -j ACCEPT

And don't forget the outbound rules too.

 

[IRudebwoy]

Woops!

Those previous code lines should read (assuming your interface is eth0)

-A RH-Firewall-1-INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

and

-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -j ACCEPT