Need help with Iptables 2

[tech4rce]

Hi, I'm trying to set-up a Web server firewall, this box will be running Fedora 4 and will be a dedicated Web Server nothing else. The connection that I have is ADSL modem, going to a Switch (I'm allowed two connections by Mac address).

I've tried the modifying the RH-Firewall-1 but my port 80 and 22 is still hidden (according to

http://www.grc.com

-shields up test).

Here is my iptable firewall:

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --5353 - 224.0.0.251 -j ACCEPT
-A RH-Firewall-1 INPUT -m state --state EXTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp --dport 22 -j ACCEPT
commit

What am I doing wrong here?
Oh just so you know, this is mostly for learning experience.
Thanks in advance.

 

[zeland]

I've not used FC's firewall config tool before as I write my own. I've never seen the notation :INPUT DROP before but if its anything to go by, you should always have your INPUT chain as ACCEPT or you won't get anything coming to your machine at all.


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[tech4rce]

Zeland, I've changed the INPUT DROP to INPUT ACCEPT.
Now my SSH port 22 shows up as OPEN. But I still don't have port 80. The test shows that it's in "stealth" mode.

I always thought that the INPUT policy was to drop anything that was NOT going to port 22 or 80 as I want. Maybe I'm wrong. My other linux box (router) has INPUT DROP and it works fine.

 

[zeland]

Now that we are on the topic of routers, we need to differentiate between INPUT & FORWARD chains and rules & policies. The INPUT chain is traversed when the incoming connection is destined to the LOCAL machine. On a router, network traffic usually goes from one eth to another for a REMOTE machine, hence forwarding. You can set a rule at the router to have INPUT drop any traffic and still have it work.

A rule tells the machine/router what to do when you get a connection. A policy however is rule that is enforced if a connection doesn't match any rule.

Back to your problem on hand, does everything work with the firewall turned off? Another, dumb but valid question is: Is your web server running? Check to see of your web server is listening by using the command lsof -Pni.


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[tech4rce]

zeland, well I've learned something already thanks.

But my port 80 (and 443) is still in "stealth" mode. I've run the "lsof -Pni" command and it says that "httpd" is "listen"(ing) with IPv6 protocol.

Is there something else that I should have in my firewall?

Thanks in advance.

 

[zeland]

IPv6 might be the cause of your web service being in "stealth" mode as most port scanners still only scan with IPv4. Can you specifically set the listen parameter under your httpd.conf file to the local machines v4 IP address?


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[lgarner]

The ":INPUT DROP" line sets the INPUT policy to DROP, as zeland alluded to earlier. This is correct. All other additions to the INPUT chain are the exceptions.

Port 22 is blocked since you're filtering on MAC. Try "man iptables" to see how that works.

I agree that it's probably the web server. Make sure you can at least connect to it from itself using it's actual IP address, not localhost.

 

[tech4rce]

Thanks, I will have to configure the httpd.conf file.
But so far I am allowed to SSH into the box (using Putty).

I'll write back if I run into any other problems.

Thanks for your help.

 

[tech4rce]

Zeland, I have tried the add the parameter IPv4 (under "Listen" ) to the httpd.conf file. Restart httpd service but now I have a "Failure" to load. Obviously httpd.conf only like port #s.

I've looked everywhere (google search and Man pages) for any configuration settings, but haven't found anything different from my httpd.conf file.

Port 80 and 443 is still in "stealth" mode, have any more ideas??

 

[zeland]

I have tried the add the parameter IPv4 (under "Listen" ) to the httpd.conf file. Restart httpd service but now I have a "Failure" to load. Obviously httpd.conf only like port #s.

Hmm.. yes. What I meant by putting IPv4 address to your listen directive in httpd.conf is not putting the word IPv4 i.e. listen IPv4:80, but your servers actual IPv4 address i.e. listen 10.1.20.5:80.


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[tech4rce]

Zeland, thanks for replying.
I've gone back and adjusted the httpd.conf file (listen {ip address}:80). Restarted the services (httpd & Iptables), nothing has changed though - still in stealth mode.
I've tried something just to see what would change. I've shutdown the Iptables service so no firewall available. Then checked with

http://www.grc.com,

and believe it or not, port 80 & 443 is still in stealth mode. This is weird isn't it??

I can give you a list of all the ports that are in "stealth" mode if you want. (21,25, 80,110,135,139,443,445) all others are "closed" (port 22 ssh is open -that part works).

once again I thank you for your help.

 

[tech4rce]

zeland, I've just re-installed Fedora, without a firewall. Checked with

http://www.grc.com,

and ports are still in stealth mode. Would it be possible that my ISP is blocking those ports??
Are all the ports that I listed before are for "server" (Web, mail,etc)??

Maybe I should just give up on this one.
Thanks anyway for your help.

 

[lgarner]

Perhaps it is being blocked. Blocking 80 is common, not so common is a block on 443. Try changing your web server to listen on an oddball port, like 81 or 9000, and see what happens. I don't know if you can tell grc to scan all or specific ports.

Also, can you connect to the web server from another computer inside your LAN?

 

[flugh]

The :INPUT :FORWARD other chains) notation for chain policy is used by iptables-save and iptables-restore.

My vote here goes to ISP filtering the your inbound traffic destined to port 80. I also use grc.com's shields up test, but more often I ssh to a remote shell (everybody as a couple of those right?) then turn around and send a 'telnet <target ip> 80' or whatever port I'm wanting to test.

----
JBR

 

[tech4rce]

lgarner, I've adjusted my httpd.conf file to listen on port 81, ran the grc.com (test all ports) test - and SURPRISE! port 81 is open. I would imagine that my ISP is blocking the usual ports just like what Flugh said.

Now my next question is would I still be able to run a Web server using port 81, keep in mind that I'm doing all of this to learn.

Is there a file that actually shows me which ports (services) are open - just so I can close un-needed ports (telnet, port 111 ...). If I screw up somewhere - believe me I will screw up.

Thanks for your input

 

[lgarner]

Yes. Check with your registrar or something like dyndns.org. They can redirect "

http://www.mysite.com"

to "

http://www.mysite.com:81"

Netstat will tell you what ports are open. Look for the lines with "LISTENING"

 

[tech4rce]

Thanks lgarner.