Iptables Question

This is a copy of my /etc/sysconfig/iptables.conf (w/o comments):
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

- Added the port 80/21 entries.
vsftpd does work.

"iptables-save | grep 80" returns nothing.

My web server works (internal and external).

"systemctl is-active iptables" shows "inactive"
I have "just" gotten firewalld up and running thanks to questions answered here.

iptables is truly a mystery to me.

Can someone explain why my web server/vsftpd are up and working w/o iptables being active? How can I get my network and security both up and working safely together?

If I enable/activate iptables, is this going to break my web server?

Is this the appropriate forum for this question?

As always, thank you for your time and patience,

Skip

Hello! I hope this post get's in the right place, cause I'm a newbie @ Linux

I'm trying to set up a Webserver, apache. And I'm confused which chain to set in IPTables. I hope'd someone could answer me a little more in detail, I've tryed googeling, but the answers were quite confusing for me, anyway here are the statement;

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

and

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

A know that that -A INPUT is for incoming packaes, -p specifies protocol TCP. But I'm unsure what -m does? Cause in the first line it is just "-m tcp" and in the second it is "-m state --state". So if someone could explant the diffrence and which one to use, I would be grateful.

And another question while I'm at it; In the start of IPTables I have;
-A INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

What happens if I get a packet destined for some service, that isn't a chain in IPTables? Take port 80 for example, will IPTables accept the packet, but drop it at the end because there isn't any hit? If you understand what I mean. If -A INPUT would be DENY istead of ACCEPT, would the packet never ever get examined further then the first line?

Almost and the bottom of IPTables ther is a line;
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Is it the chain that will be matched if there is not hit prior to it? What would happen if this line wasn't there?

Thank you very much for your help, I'm just wanna be sure little how IPTables work.

Best Regards; Stefan

I have been flailing trying to get a web server running on Fedora 21.

Finally did so.

I have my iptables working (me thinks) as they should. I can connect from my Linux box (local) or from my Mac on the same network/subnet.

Problem is in my "travels" I have somehow trashed my firewall-cmd.

I was adding parameters to it w/o issue. E.G
firewall-cmd --zone=public --add-port=80/tcp --permanent
Then restarting firewall-cmd
firewall-cmd --realod

This was all working. I "fixed" my problem with connecting to my web server from other LAN workstations (iptables issues) and was going back to see if all was well. Now when I try to restart I get a:
FirewallD is not running
That from my "reload" command above.

Have I fixed my web server issue or is my world wide open att?

Assistance, as always, greatly appreciated.

Skip

Hi everyone
I have a question about iptables

This line
Code:

iptables -A INPUT -p tcp  -m tcp --dport 80 -j ACCEPT

why there is a "-m tcp"? what does this mean? I checked some book and man, I did not find what does this mean.

Thank you very much for your help.

I am trying to set up a "Proxy Server" in Linux, without using Squid (Part of my project). However I have beginner's knowledge of iptables. I am using the following script from "http://www.aboutdebian.com/proxy.

#!/bin/sh
INTIF="eth1"
EXTIF="eth0"
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Question is there is no packet forwarding from eth1 to eth0 (verified from wireshark, a windows is using eth1's ip address as its default gateway)

Any help would be highly appreciated!

Hi all,
I am brand new to Linux, playing around a bit with different things to see how I can use it in the future. Here is my problem:

I have written a simple program in Ada that works well on windows. It opens a TCP port (20000) and listens for incoming connections. I tried it on my internal network and it works well. I can connect from other windows machines and even from my Linux machine.

Now I moved the program to Linux and compiled it there. It starts ok and then listens for the connections. I can connect to it from that same Linux machine but not from any other machine on my network.

I checked the firewall status on Linux with ufw status and it is disabled. I also tried to add a rule to the iptables with
iptables -A INPUT -p tcp --dport 20000 -j ACCEPT

but still nothing. I can not connect from another machine on my network. I also tried to open a simple telnet connection from a windows machine and that too is blocked. I thought without the firewall all incoming connections would be allowed but obviously something is not working as I thought.

Any help would be greatly appreciated

I was reading the frozentux appendix for dhcp (https://www.frozentux.net/iptables-t...tml/x6316.html) and I was wondering how could this Code:

$IPTABLES  -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

be made to be more restrictive? The author himself says that this ca be done, but doesn't give any details in this respect.

I am interested in both cases - if the computer is a dhcp server or if it is only a dhcp client. Can you help me out with this?

Hello,

I am trying to set up SSH on my linux machine. I have all the ssh packages downloaded and have added rules to my iptables i.e.

-A INPUT -p tcp -m tcp --dport 62222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

I also saved all the rules in a file so I could restore the iptables when I reboot the machine.

I also checked to make sure that the ports were open on the network firewall.

So I'm not sure what to do now because everywhere I look it says that once I've added those rules it should work.

Please Help!

Hi all,

I have a host#1 with ip=192.168.3.100 and a host#2 with ip=192.168.2.100. Both hosts are connected to some linux device with 2 interfaces : eth0 with ip=192.168.2.1 and eth1 with ip=192.168.3.1.

So host#1 is connected to eth1 and host#2 to eth0. I would like to ping host#2 from host#1 and vice versa. How can I do that ?

I tried :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

but it didn't work

PS
This is my first post here, so please don't be very strict to me
Looking forward to hearing from anybody as I'm out of ideas...

BR,
Dmitry

Hello!
I'm pretty new to the world of Linux. Right now I use Ubuntu Desktop 14.04 Later down the road I plan to install LAMP to try to run a web server.
Generally speaking, I prefer GUI (as most people, I guess), though I have no problem with CLI (remember myself in 1990 with MS-DOS).
As a regular user I don't think I really need a firewall in Ubuntu. Sticking to installation defaults is fine by me. But as an admin of a web server, I would think that I'm gonna need something beyond the Desktop ed. defaults security-wise. I'm aware of IPtables, of course. But to me it seems a little bit too much to learn, too steep of a learning curve right now. Then there's ufw.
And a GUI front-end of it, which is Gufw. Here opinions vary. Some say, I must learn IPtables, others think that Gufw does its job fine.
So what I'm asking here is not just an OPINION, but also a reasoning behind it. Real life example maybe etc.
Thank you.