Help to debug iptables

[joshribakoff]

I am running an apache instance and an instance of cruisecontrol which is a server that throws up a web interface on port 8080.

I can access both thru lynx but not from an IP on the same network (another computer)

Stopping iptables makes it so it works on all computers again. But I don't understand which rule, and I've read thru iptables --help and I still don't get the general concept, what are chains, what are policies, how do they interact? How do I remove whatever is stopping my web interfaces?

Code:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

[Lazydog]

Post your /etc/sysconfig/iptables file. It makes reading the firewall rules a lot easier.

[joshribakoff]

Ok, as a transient fix I put service iptables stop (in startup script) although I would like to understand how iptables actually works.

Code:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

[Lazydog]

You don't have port 80 or 8080 alowed on your firewall. Open these ports and things should start to work. Also open 443 if you want https.

[joshribakoff]

So I take it iptables blocks all ports by default?

It must have been set up this way because I unchecked webserver during linux installation so I could install my own later

[Lazydog]

Yeah, the last line is the reject line that is why you are not connecting. Please be aware that what you install has nothing to do with the way the firewall is setup. You still need to open the required ports on the firewall.

[joshribakoff]

Hmm well thats the only thing I did different this time, and never had this problem before. Why would it be unreasonable to assume the distro sets up a different firewall configuration depending on if you pick "server" or "desktop"?

[Lazydog]

AFAIR it doesn't. The basic setup is allow everything out and nothing in.