problem with opening ports using iptables
hi list, i recently switched from personal-firewall to a self-made firewall script cause i want to share some ports (e.g. www) to the outside world. i decided to filter those ports and simply drop all other packets. to filter out the packets i use some code like this: IPTABLES -N www IPTABLES -A www -j ACCEPT IPTABLES -I INPUT -p tcp -m state --state NEW -i $INET_DEV --dport 80 -j www IPTABLES -I OUTPUT -p tcp -m state --state NEW -o $INET_DEV --dport 80 -j www but it doesn't work. other outside clients say my servers port 80 is opened but they don't recieve anything when accessing it. from the internal lan all things work fine. does anyone know whats wrong? thx in advance [LAN-Power.net] Tobias Breckle
Hi, Am Montag, 18. März 2002 21:42 schrieben Sie:
www IPTABLES -I OUTPUT -p tcp -m state --state NEW -o $INET_DEV --dport 80 -j www
Its the source-port, you mean.. ;) You wan't to say that output pakcets on Port 80 are allowed. So your server send packets with source Port 80.
thx in advance
[LAN-Power.net] Tobias Breckle
CU, Kai. -- Kai Szymanski BS Networks http://www.bs-networks.de
On Monday 18 March 2002 21.42, Tobias Breckle wrote:
hi list, i recently switched from personal-firewall to a self-made firewall script cause i want to share some ports (e.g. www) to the outside world. i decided to filter those ports and simply drop all other packets. to filter out the packets i use some code like this:
IPTABLES -N www
creates a new rule-chain called www
IPTABLES -A www -j ACCEPT
Appends an empty rule to the www chain with target ACCEPT. I think IPTABLES -P www ACCEPT would be a better way to do it.
IPTABLES -I INPUT -p tcp -m state --state NEW -i $INET_DEV --dport 80 -j www
Allows new connections to be made on port 80, but doesn't allow packets relating to already established connections. (--state ESTABLISHED). IPTABLES -I OUTPUT -p tcp -m state --state NEW -o $INET_DEV --dport 80
-j www
Allows you to connect to other web servers, but again not to actually communicate with them (again --state ESTABLISHED). Also, if this is the only output rule you have, note that outbound packets from your web server will not have --dport 80. User clients will always (?) be on high ports (> 1024). Perhaps --sport 80 was what you meant.
but it doesn't work. other outside clients say my servers port 80 is opened but they don't recieve anything when accessing it. from the internal lan all things work fine. does anyone know whats wrong?
thx in advance
[LAN-Power.net] Tobias Breckle
thx a lot guys, now it works :) Anders Johansson wrote:
On Monday 18 March 2002 21.42, Tobias Breckle wrote:
hi list, i recently switched from personal-firewall to a self-made firewall script cause i want to share some ports (e.g. www) to the outside world. i decided to filter those ports and simply drop all other packets. to filter out the packets i use some code like this:
IPTABLES -N www
creates a new rule-chain called www
IPTABLES -A www -j ACCEPT
Appends an empty rule to the www chain with target ACCEPT. I think IPTABLES -P www ACCEPT would be a better way to do it.
IPTABLES -I INPUT -p tcp -m state --state NEW -i $INET_DEV --dport 80 -j www
Allows new connections to be made on port 80, but doesn't allow packets relating to already established connections. (--state ESTABLISHED).
IPTABLES -I OUTPUT -p tcp -m state --state NEW -o $INET_DEV --dport 80
-j www
Allows you to connect to other web servers, but again not to actually communicate with them (again --state ESTABLISHED). Also, if this is the only output rule you have, note that outbound packets from your web server will not have --dport 80. User clients will always (?) be on high ports (> 1024). Perhaps --sport 80 was what you meant.
but it doesn't work. other outside clients say my servers port 80 is opened but they don't recieve anything when accessing it. from the internal lan all things work fine. does anyone know whats wrong?
thx in advance
[LAN-Power.net] Tobias Breckle
participants (3)
-
Anders Johansson
-
Kai Szymanski
-
Tobias Breckle