I have been flailing trying to get a web server running on Fedora 21.
Finally did so.
I have my iptables working (me thinks) as they should. I can connect from my Linux box (local) or from my Mac on the same network/subnet.
Problem is in my "travels" I have somehow trashed my firewall-cmd.
I was adding parameters to it w/o issue. E.G
firewall-cmd --zone=public --add-port=80/tcp --permanent
Then restarting firewall-cmd
firewall-cmd --realod
This was all working. I "fixed" my problem with connecting to my web server from other LAN workstations (iptables issues) and was going back to see if all was well. Now when I try to restart I get a:
FirewallD is not running
That from my "reload" command above.
Have I fixed my web server issue or is my world wide open att?
Assistance, as always, greatly appreciated.
Skip
This is a copy of my /etc/sysconfig/iptables.conf (w/o comments):
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
- Added the port 80/21 entries.
vsftpd does work.
"iptables-save | grep 80" returns nothing.
My web server works (internal and external).
"systemctl is-active iptables" shows "inactive"
I have "just" gotten firewalld up and running thanks to questions answered here.
iptables is truly a mystery to me.
Can someone explain why my web server/vsftpd are up and working w/o iptables being active? How can I get my network and security both up and working safely together?
If I enable/activate iptables, is this going to break my web server?
Is this the appropriate forum for this question?
As always, thank you for your time and patience,
Skip
Hi,
I am running a centOS 6 server , with public ip as web-server. Sometimes the ftp service & firewall ( system-config-firewall) gets dead /crashed.
i have to start messagebus service in-order to start firewall.
what is the real cause of this issue ? Dos attack ?
netstat doesn't show any unusual ip connections
Hi,
So, I am learning meteor.js and signed up for a (cheap, i.e no support) VPS to host my Meteor app. Everything is running fine but I am trying to understand better how Linux works so here is my question:
I am running CentOS 7 on the VPS but it still uses iptables for its firewall.
I had to enable port 80 to access the web server. However, if I reboot the server, it stops working until I do
Code:
iptables -F
Then everything works. But I am thinking that -F might not be the best thing. I have changed the default SSH port from 22 to something else and that also works but I don't think I ever added it to the iptables rules.
If I do a port scan, the new SSH port is indicated as open as well as port 80 but others are closed as they are supposed to be.
Any idea what is doing on behind the scenes that requires iptables -F for the web access to work properly and if I shouldn't be doing iptables -F (I have it in the rc.local file), what is the right way of doing it?
(BTW, I am computer literate but not that familiar with Linux, which I am trying to learn now.)
Kamal
I have an Intel x86_64 system running rhel 7.0 I want to use this system as a Firewall. The system has two NICs. one NIC is defined with the static IP address from my ISP. The other NIC is also static i.e. no dhcp, and is assigned a LAN addrs of 192.168.10.6 It is plugged into a switch (192.168.10.1) that has other three devices plugged in. Each with it's own hard-coded LAN address (Netmask is 255.255.255.0) I have two zones active in the firewall config External (using the static ip from the ISP) and Internal (using the IP addrs of 192.168.10.6) I'm forwarding the following two ports 80 & 443 in both zones. External zone: ports 80 & 443 are forwarded to my switch (192.168.10.1) Internal zone: ports 80 & 443 are forwarded to my static IP addrs from my ISP. I have IP masquerading turned on in the External zones. However none of the other workstations (Windows 7 professional) and my "smart" TV (netflix access) are able to access the internet. Again I'm NOT using any dhcp, all IP addresses are hard coded. I can ping any LAN address from any LAN node. The Linux FW machine can access the internet. I've read thru the RHEL 7.0 Security guide regarding setting up the firewall and I believe I have all the elements defined properly ... It just doesn't work. I have the same set of DNS values defined on all systems.
They are the three DNS servers assigned by my ISP. I have ipv4 forwarding active on my Linux system. I have masquerading "turned on" in the External zone. The resolv.conf file has the ip addresses of the DNS servers as well as my switch.
However the windows 7 systems and my "smart" TV cannot access the internet.
Anyone who's really familiar with rhel firewall-config GUI and has any suggestions please respond.
Thanks
Guy
Hi all,
I am brand new to Linux, playing around a bit with different things to see how I can use it in the future. Here is my problem:
I have written a simple program in Ada that works well on windows. It opens a TCP port (20000) and listens for incoming connections. I tried it on my internal network and it works well. I can connect from other windows machines and even from my Linux machine.
Now I moved the program to Linux and compiled it there. It starts ok and then listens for the connections. I can connect to it from that same Linux machine but not from any other machine on my network.
I checked the firewall status on Linux with ufw status and it is disabled. I also tried to add a rule to the iptables with
iptables -A INPUT -p tcp --dport 20000 -j ACCEPT
but still nothing. I can not connect from another machine on my network. I also tried to open a simple telnet connection from a windows machine and that too is blocked. I thought without the firewall all incoming connections would be allowed but obviously something is not working as I thought.
Any help would be greatly appreciated
Hi,
i have a index page in /var/www/html, from the local machine i can open the page as localhost or the machine name even the firewall is on or off, But when i type the ip of the machine in another LAN pc it automautically navigate to another folder say like 192.168.1.1 enter -> 192.168.1.1/newpage and gives out 404 error when the firewall is up but i get the page when the firewall is down what do i do?
Hello!
I'm pretty new to the world of Linux. Right now I use Ubuntu Desktop 14.04 Later down the road I plan to install LAMP to try to run a web server.
Generally speaking, I prefer GUI (as most people, I guess), though I have no problem with CLI (remember myself in 1990 with MS-DOS).
As a regular user I don't think I really need a firewall in Ubuntu. Sticking to installation defaults is fine by me. But as an admin of a web server, I would think that I'm gonna need something beyond the Desktop ed. defaults security-wise. I'm aware of IPtables, of course. But to me it seems a little bit too much to learn, too steep of a learning curve right now. Then there's ufw.
And a GUI front-end of it, which is Gufw. Here opinions vary. Some say, I must learn IPtables, others think that Gufw does its job fine.
So what I'm asking here is not just an OPINION, but also a reasoning behind it. Real life example maybe etc.
Thank you.
I am trying to set up a "Proxy Server" in Linux, without using Squid (Part of my project). However I have beginner's knowledge of iptables. I am using the following script from "http://www.aboutdebian.com/proxy.
#!/bin/sh
INTIF="eth1"
EXTIF="eth0"
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Question is there is no packet forwarding from eth1 to eth0 (verified from wireshark, a windows is using eth1's ip address as its default gateway)
Any help would be highly appreciated!
When I do apt-get update and apt-get upgrade, both times I have to unplug my ethernet cord right after it's done downloading the stuff and right before it finishes saying "reading changelogs" and stuff because maybe a second or three after it finishes reading the changelogs my firewall will be lowered. If I unplug my ethernet cord in time I just reset the iptables and plug my ethernet cord back in. For really small upgrades it will finish downloading and reading changelogs too quick so I'm not sure if my firewall was lowered or not and I have to reinstall. I just want it to pause or wait for 5 seconds or something after the upgrades are downloaded. Is there any way for me to do this?
Hello,
I am having issues connecting to my linux box (opensuse 11.3) from my Window 7 sytem. I am using FileZilla. When I attempt to connect I get this error message
Status: Connecting to 192.168.198.205...
Response: fzSftp started
Command: open "Mike@192.168.198.205" 22
Command: Trust new Hostkey: Once
Command: Pass: *********
Error: Authentication failed.
Error: Critical error
Error: Could not connect to server
I am thinking it is a setup on issue on my Linux box but not sure what to change at this point. I must have some settings correct, because I am able to remote into my Linux box using FreeNX. Any help would be appreciated