IP is not pointing to my server :(

[agriz]

Hi

I have done the following

1) Changed ssh port
2) disabled root login through ssh
3) Installed few firewalls
4) block everything in iptables except 80,8080 and ssh port
5) Finally installed apache php mysql and phpmyadmin

Started the services but when hitting the ipaddress in the browser, i don't see any output

I have just added a index.html in /var/www/html/index.html

[atreyu]

So you are trying to use a browser on the same machine that is running apache, yes?

Are you sure the apache service is started? No sure what you distro is, but try:

Code:

/etc/init.d/httpd status

or look for it in ps:

Code:

ps auxww|egrep 'httpd|apache'

temporarily disable the firewall to make sure that is not the problem, e.g.:

Code:

/etc/init.d/iptables stop

what are you browsing to, exactly? Try:

Code:

http://localhost

Run this in a terminal while you try to connect, to see apache errors:

Code:

tailf /var/log/httpd/error_log

Edit: If you are using a hostname in the browser, make sure you can resolve it. on the command line, try to ping it. If the hostname is DNS-based, try "host YOUR_HOSTNAME"

[agriz]

Yes, It was iptables which was blocking.
Now i got another series problem

I tried to see the rules in table. It returned nothing.
So, I thought to add new rules again

Code:

iptables -P INPUT DROP

I entered this. Immediately I lost my ssh connection. And I am not able to access again.

Ping returns 100% data loss.
Putty is not even even loading for that ip address.

Am i fully blocked or the server down?

[atreyu]

heh. yeah, you blocked yourself. It is good practice to *never* muck with iptables via a remote session.

The server is not down, but may as well be, if you don't have local, physical access. I assume you can log in locally?

btw, don't feel bad. just about everybody who has ever messed with firewalls has done this (self included).

[agriz]

I dont have anyother access.
So, How do i block all the ports except 80,8080,22?

Code:

iptables -P INPUT DROP

Should not i enter this before accepting 80,8080,22?

[atreyu]

Yes, in the /etc/sysconfig/iptables config file, it would go first, but I was assuming you ran that command in the terminal, which would override the current settings.

Regarding the access, is the machine remote then? Can someone disable the firewall for you, or reboot it?

[agriz]

It is remote machine.
I have sent a mail

Will restart fix it?

[agriz]

What will happen if i first enter

Code:

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

Code:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

after if i enter

Code:

iptables -P INPUT DROP

Will it accept port 80 and 22?

[atreyu]

A reboot will NOT fix it if iptables is configured to start upon reboot.

Edit: Wanted to get that message out first...now more detail. If you want immediate access, have them log in as root and stop the firewall:

Code:

service iptables stop

You can make sure it is disabled with:

Code:

chkconfig iptables off

which will be persistent across reboots.

If I were you, i'd get a working iptables configuration on A LOCAL SERVER that is hopefully the same distro/version as your remote one. save that config (using iptables-save > iptables.txt), then copy it to the remote server as /etc/sysconfig/iptables.

Here's an example /etc/sysconfig/iptables that you can try:

Code:

# Turn on traffic filtering
*filter

# set default policies
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# accept all traffic from the loopback interface
-A INPUT -i lo -j ACCEPT

# Accept legitimate responses to traffic we generate.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept SSH connections from my network only.
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ! 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP

# Accept http requests
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 8080 -j ACCEPT

# Allow ICMP (pings) through
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p icmp -j ACCEPT

# save it
COMMIT

Just change the -s 192.168.1.0/255.255.255.0 portion with your network info. This is a pretty simple firewall config, read more here.

[scathefire]

--Looks like atreyu was quicker.

That's not necessarily true, iptables will load up whatever rules are stored into /etc/sysconfig/iptables by default. So as long as you didn't run iptables-save or write your rules directly into that file, it should load up the original configs.

I would start with a firewall script something like this:

Code:

# Default settings are to drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Anything localhost is allowed
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Trust everything generated from the server, so therefore anything coming back should be accepted
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Input rules
iptables -A INPUT --dport 80 -j ACCEPT
iptables -A INPUT --dport 22 -j ACCEPT
iptables -A INPUT --dport 8080 -j ACCEPT

Run this script. Once you have your rules the way you like them, do a iptables-save.

Code:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables-old
iptables-save > /etc/sysconfig/iptables