Re: Iptables problem with allowing http

[Mark Weaver <mdw1982@xxxxxxxxxxx>]

Claude Jones wrote:
> At least I think that's the problem, though I can't see why.
> My rules:
> iptables -P INPUT DROP
> iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT
>
> #to allow ftp?
> #iptables -A INPUT -p tcp -m state --state RELATED -j ACCEPT
>
> iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
> iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with 
> icmp-port-unreachable
>
> iptables -vL results in:
>
> Chain INPUT (policy DROP 10 packets, 320 bytes)
> pkts bytes target     prot opt in     out     source               
> destination
>  397 46790 ACCEPT     all  --  !eth0  any     anywhere             anywhere
> 4435 3628K ACCEPT     all  --  any    any     anywhere             
> anywhere            state RELATED,ESTABLISHED
>    0     0 ACCEPT     tcp  --  any    any     anywhere             
> anywhere            tcp dpt:http state NEW
>    0     0 ACCEPT     tcp  --  any    any     anywhere             
> anywhere            state RELATED
>    3   144 REJECT     tcp  --  eth0   any     anywhere             
> anywhere            reject-with tcp-reset
>  116 20550 REJECT     udp  --  eth0   any     anywhere             
> anywhere            reject-with icmp-port-unreachable
>    0     0 ACCEPT     all  --  !eth0  any     anywhere             anywhere
>    0     0 ACCEPT     all  --  any    any     anywhere             
> anywhere            state RELATED,ESTABLISHED
>    0     0 ACCEPT     tcp  --  any    any     anywhere             
> anywhere            tcp dpt:http state NEW
>    0     0 ACCEPT     tcp  --  any    any     anywhere             
> anywhere            state RELATED
>    0     0 REJECT     tcp  --  eth0   any     anywhere             
> anywhere            reject-with tcp-reset
>    0     0 REJECT     udp  --  eth0   any     anywhere             
> anywhere            reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT 35 packets, 7985 bytes)
> pkts bytes target     prot opt in     out     source               
> destination
>
> Chain OUTPUT (policy ACCEPT 5105 packets, 609K bytes)
> pkts bytes target     prot opt in     out     source               
> destination
>
> Attempts to connect to my ip via http are being refused with a 
> 'connection refused' - seems like the connection is live, but attempts 
> to connect are rebuffed. Anyone spot something wrong in the above?

check and make sure the apache service is running. this is usually the 
problem when getting this message and you "know" the port is open.

	/sbin/service httpd restart

--
Mark
-----------------------------------------------------------
Paid for by Penguins against modern appliances(R)
Linux User Since 1996
Powered by Mandrake Linux 8.2 & RH Fedora Core 3
ICQ# 27816299