Find the answer to your Linux question:
Results 1 to 5 of 5
Hi all, I have an exiting server that user for web server only. Can anyone help check whether correct? the following was my iptables setting.EPT [17421:3794081] :FORWARD ACCEPT [0:0] :OUTPUT ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2007
    Posts
    24

    iptables issues....pls help


    Hi all,

    I have an exiting server that user for web server only. Can anyone help check whether correct?

    the following was my iptables setting.EPT [17421:3794081]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [18142:2796768]
    :RH-Firewall-1-INPUT - [0:0]
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
    -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    -A RH-Firewall-1-INPUT -p ah -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT



    *-->xxx.xxx.xxx.xxx == ip address

    should i insert this at the end since this only use for web server?
    -A INPUT -j DROP

    for what i noe from the setting, it should not bblock any connect rite? but y i cant connect through port 3306 if i noe allow port 3306?

    after i try specify an IP to connect through 3306, but now i can connect from any source, y?

    I am newbie to linux and the setting was set by previous vendor.

    any suggestion to imrpove it?

    thanks at advance.

  2. #2
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    Heh ok, let me help you. And English isnt your native language is it? But well hey Neither is mine so Anyhow, I am not here to Troll or make you feel bad so lets get down to your Config.
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

    These are fine. It shows that your lo and eth0 are allowed to get connections

    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
    This shows that you can ping with one Spefic type (ICMP 255)
    Is also fine.

    -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    -A RH-Firewall-1-INPUT -p ah -j ACCEPT

    No idea what this is..

    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    This makes sure that if a connection is already ESTABLISHED it doesnt get cut off.

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 80 (Web-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 443 (HTTPS-Web-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 21 (FTP-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 22 (SSH-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

    This accepts TCP and UDP for DNS. Id just leave this on if Id were you

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT

    This accepts Connctions (TCP and UDP) for port 3306 from IPadress xxx.xxx.xxx.xx if you want to remove that only one IP change it to:
    Code:
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306  -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

    This makes sure people cant ping you.
    But its on REJECT that is kinda stupid.
    Change that to DROP.
    Since pinging is often used in port-Scanning.
    And if he gets Rejected he knows the box is on.
    If he doesnt get a reply yea, he kinda just knows the pc is up.

    Use Nmap and Hping to test your firewall settings
    New Users, please read this..
    Google first, then ask..

  3. #3
    Just Joined!
    Join Date
    Feb 2007
    Posts
    24
    Quote Originally Posted by RobinVossen View Post
    Heh ok, let me help you. And English isnt your native language is it? But well hey Neither is mine so Anyhow, I am not here to Troll or make you feel bad so lets get down to your Config.
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

    These are fine. It shows that your lo and eth0 are allowed to get connections

    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
    This shows that you can ping with one Spefic type (ICMP 255)
    Is also fine.

    -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    -A RH-Firewall-1-INPUT -p ah -j ACCEPT

    No idea what this is..

    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    This makes sure that if a connection is already ESTABLISHED it doesnt get cut off.

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 80 (Web-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 443 (HTTPS-Web-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 21 (FTP-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

    This accepts Connections on Port 22 (SSH-server)

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

    This accepts TCP and UDP for DNS. Id just leave this on if Id were you

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT

    This accepts Connctions (TCP and UDP) for port 3306 from IPadress xxx.xxx.xxx.xx if you want to remove that only one IP change it to:
    Code:
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306  -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

    This makes sure people cant ping you.
    But its on REJECT that is kinda stupid.
    Change that to DROP.
    Since pinging is often used in port-Scanning.
    And if he gets Rejected he knows the box is on.
    If he doesnt get a reply yea, he kinda just knows the pc is up.

    Use Nmap and Hping to test your firewall settings

    thank for ur reply n sorry for my language.

    Code:
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m udp --dport 3306 -s xxx.xxx.xxx.xxx -m state --state NEW -j ACCEPT
    y i can connect to server through this port number although i not from xxx.xxx.xxx.xxx? isnt there have some setting wrong?

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    You should also add a DROP ALL on the bottom I belive
    New Users, please read this..
    Google first, then ask..

  6. #5
    Just Joined!
    Join Date
    Feb 2007
    Posts
    24
    Quote Originally Posted by RobinVossen View Post
    You should also add a DROP ALL on the bottom I belive
    i try alre..but cant...

    i add this

    -A RH-Firewall-1-INPUT -p tcp -m tcp -j DROP
    -A RH-Firewall-1-INPUT -p udp -m udp -j DROP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •