Iptables problem with allowing http
Mark Weaver
mdw1982 at mdw1982.com
Tue Mar 15 13:40:51 UTC 2005
Claude Jones wrote:
> At least I think that's the problem, though I can't see why.
> My rules:
> iptables -P INPUT DROP
> iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT
>
> #to allow ftp?
> #iptables -A INPUT -p tcp -m state --state RELATED -j ACCEPT
>
> iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
> iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with
> icmp-port-unreachable
>
> iptables -vL results in:
>
> Chain INPUT (policy DROP 10 packets, 320 bytes)
> pkts bytes target prot opt in out source
> destination
> 397 46790 ACCEPT all -- !eth0 any anywhere anywhere
> 4435 3628K ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere tcp dpt:http state NEW
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere state RELATED
> 3 144 REJECT tcp -- eth0 any anywhere
> anywhere reject-with tcp-reset
> 116 20550 REJECT udp -- eth0 any anywhere
> anywhere reject-with icmp-port-unreachable
> 0 0 ACCEPT all -- !eth0 any anywhere anywhere
> 0 0 ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere tcp dpt:http state NEW
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere state RELATED
> 0 0 REJECT tcp -- eth0 any anywhere
> anywhere reject-with tcp-reset
> 0 0 REJECT udp -- eth0 any anywhere
> anywhere reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT 35 packets, 7985 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 5105 packets, 609K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Attempts to connect to my ip via http are being refused with a
> 'connection refused' - seems like the connection is live, but attempts
> to connect are rebuffed. Anyone spot something wrong in the above?
>
check and make sure the apache service is running. this is usually the
problem when getting this message and you "know" the port is open.
/sbin/service httpd restart
--
Mark
-----------------------------------------------------------
Paid for by Penguins against modern appliances(R)
Linux User Since 1996
Powered by Mandrake Linux 8.2 & RH Fedora Core 3
ICQ# 27816299
More information about the users
mailing list