Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13
Hi I have done the following 1) Changed ssh port 2) disabled root login through ssh 3) Installed few firewalls 4) block everything in iptables except 80,8080 and ssh port ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66

    IP is not pointing to my server :(


    Hi

    I have done the following

    1) Changed ssh port
    2) disabled root login through ssh
    3) Installed few firewalls
    4) block everything in iptables except 80,8080 and ssh port
    5) Finally installed apache php mysql and phpmyadmin

    Started the services but when hitting the ipaddress in the browser, i don't see any output

    I have just added a index.html in /var/www/html/index.html

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    So you are trying to use a browser on the same machine that is running apache, yes?

    Are you sure the apache service is started? No sure what you distro is, but try:

    Code:
    /etc/init.d/httpd status
    or look for it in ps:
    Code:
    ps auxww|egrep 'httpd|apache'
    temporarily disable the firewall to make sure that is not the problem, e.g.:
    Code:
    /etc/init.d/iptables stop
    what are you browsing to, exactly? Try:
    Code:
    http://localhost
    Run this in a terminal while you try to connect, to see apache errors:

    Code:
    tailf /var/log/httpd/error_log
    Edit: If you are using a hostname in the browser, make sure you can resolve it. on the command line, try to ping it. If the hostname is DNS-based, try "host YOUR_HOSTNAME"
    Last edited by atreyu; 12-01-2011 at 01:52 PM. Reason: resolve ip

  3. #3
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66
    Yes, It was iptables which was blocking.
    Now i got another series problem

    I tried to see the rules in table. It returned nothing.
    So, I thought to add new rules again

    Code:
    iptables -P INPUT DROP
    I entered this. Immediately I lost my ssh connection. And I am not able to access again.

    Ping returns 100% data loss.
    Putty is not even even loading for that ip address.

    Am i fully blocked or the server down?

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    heh. yeah, you blocked yourself. It is good practice to *never* muck with iptables via a remote session.

    The server is not down, but may as well be, if you don't have local, physical access. I assume you can log in locally?

    btw, don't feel bad. just about everybody who has ever messed with firewalls has done this (self included).

  6. #5
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66


    I dont have anyother access.
    So, How do i block all the ports except 80,8080,22?

    Code:
    iptables -P INPUT DROP
    Should not i enter this before accepting 80,8080,22?

  7. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Yes, in the /etc/sysconfig/iptables config file, it would go first, but I was assuming you ran that command in the terminal, which would override the current settings.

    Regarding the access, is the machine remote then? Can someone disable the firewall for you, or reboot it?

  8. #7
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66
    It is remote machine.
    I have sent a mail

    Will restart fix it?

  9. #8
    Just Joined!
    Join Date
    Nov 2011
    Posts
    66
    What will happen if i first enter

    Code:
    iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
    Code:
    iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
    after if i enter
    Code:
    iptables -P INPUT DROP
    Will it accept port 80 and 22?

  10. #9
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    A reboot will NOT fix it if iptables is configured to start upon reboot.

    Edit: Wanted to get that message out first...now more detail. If you want immediate access, have them log in as root and stop the firewall:
    Code:
    service iptables stop
    You can make sure it is disabled with:
    Code:
    chkconfig iptables off
    which will be persistent across reboots.

    If I were you, i'd get a working iptables configuration on A LOCAL SERVER that is hopefully the same distro/version as your remote one. save that config (using iptables-save > iptables.txt), then copy it to the remote server as /etc/sysconfig/iptables.

    Here's an example /etc/sysconfig/iptables that you can try:
    Code:
    # Turn on traffic filtering
    *filter
    
    # set default policies
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    
    # accept all traffic from the loopback interface
    -A INPUT -i lo -j ACCEPT
    
    # Accept legitimate responses to traffic we generate.
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Accept SSH connections from my network only.
    -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -s ! 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP
    
    # Accept http requests
    -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
    
    # Allow ICMP (pings) through
    -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p icmp -j ACCEPT
    
    # save it
    COMMIT
    Just change the -s 192.168.1.0/255.255.255.0 portion with your network info. This is a pretty simple firewall config, read more here.
    Last edited by atreyu; 12-01-2011 at 03:03 PM.

  11. #10
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    --Looks like atreyu was quicker.

    That's not necessarily true, iptables will load up whatever rules are stored into /etc/sysconfig/iptables by default. So as long as you didn't run iptables-save or write your rules directly into that file, it should load up the original configs.

    I would start with a firewall script something like this:
    Code:
    # Default settings are to drop all
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    
    # Anything localhost is allowed
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # Trust everything generated from the server, so therefore anything coming back should be accepted
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Input rules
    iptables -A INPUT --dport 80 -j ACCEPT
    iptables -A INPUT --dport 22 -j ACCEPT
    iptables -A INPUT --dport 8080 -j ACCEPT
    Run this script. Once you have your rules the way you like them, do a iptables-save.
    Code:
    cp /etc/sysconfig/iptables /etc/sysconfig/iptables-old
    iptables-save > /etc/sysconfig/iptables
    Last edited by scathefire; 12-01-2011 at 03:11 PM. Reason: Basically what atreyu said
    linux user # 503963

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •