need HELP with iptables Firewall
Hi all ! I'm Running SUSE Linux 10.0, x86. with Apache2 HTTP server at home. I want to block access to my Apache2 server from all interfaces, including myself (loopback). I set up iptables, and did: iptables -F INPUT iptables -A INPUT -j DROP iptables -F OUTPUT iptables -A OUTPUT -j DROP Those 4 commands, theoretically, should kill all my network activity. (I have no IP forwarding) and this stopped pinging to myself: ping 127.0.0.1 but for some totally unknown reason, I still could access "http://localhost" two questions: 1. why I still could access "http://localhost" ? 2. how to disable *all* network traffic ? Thanks. -Alexey. 20.1.2006.
Alexey Eremenko wrote:
Hi all !
I'm Running SUSE Linux 10.0, x86. with Apache2 HTTP server at home. I want to block access to my Apache2 server from all interfaces, including myself (loopback).
I set up iptables, and did:
iptables -F INPUT iptables -A INPUT -j DROP iptables -F OUTPUT iptables -A OUTPUT -j DROP
Those 4 commands, theoretically, should kill all my network activity. (I have no IP forwarding) and this stopped pinging to myself: ping 127.0.0.1
but for some totally unknown reason, I still could access "http://localhost"
two questions: 1. why I still could access "http://localhost" ? 2. how to disable *all* network traffic ?
Thanks. -Alexey. 20.1.2006.
iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT -j DROP iptables -P OUTPUT -j DROP iptables -P FORWARD -j DROP -- Kulla
iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT -j DROP iptables -P OUTPUT -j DROP iptables -P FORWARD -j DROP
-- Kulla
Thanks Kulla, but there are 2 problems with your commands: 1.iptables -P INPUT -j DROP doesn't work. it must be: iptables -P INPUT DROP 2. even after flushing all 3 chains, and set their default policy to DROP, I still *can* access Apache2 web server ! any ideas?
On Fri, 2006-01-20 at 07:37 -0200, Alexey Eremenko wrote:
Hi all !
I'm Running SUSE Linux 10.0, x86. with Apache2 HTTP server at home. I want to block access to my Apache2 server from all interfaces, including myself (loopback).
I set up iptables, and did:
iptables -F INPUT iptables -A INPUT -j DROP iptables -F OUTPUT iptables -A OUTPUT -j DROP
Those 4 commands, theoretically, should kill all my network activity. (I have no IP forwarding) and this stopped pinging to myself: ping 127.0.0.1
but for some totally unknown reason, I still could access "http://localhost"
two questions: 1. why I still could access "http://localhost" ? 2. how to disable *all* network traffic ?
ifconfig eth0 down ifconfig lo down -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
On Fri, 2006-01-20 at 07:48 -0200, Alexey Eremenko wrote:
iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT -j DROP iptables -P OUTPUT -j DROP iptables -P FORWARD -j DROP
-- Kulla
Thanks Kulla, but there are 2 problems with your commands:
1.iptables -P INPUT -j DROP doesn't work. it must be: iptables -P INPUT DROP
2. even after flushing all 3 chains, and set their default policy to DROP, I still *can* access Apache2 web server !
any ideas?
rcapache2 stop -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
sorry: my 4 was wrong: 4. FireFox could access the page. actually, only KDE Konqueor *can* access my web server via: " http://localhost", and ignore firewall.
ifconfig eth0 down ifconfig lo down
I want to understand iptables, not shut down interfaces.
Are you opening localhost or local file? I'm opening localhost, i.e. the web server.
rcapache2 stop It can be stopped by using rcapache2 stop, but why iptables fails to stop it ?
Could it be that Konqueror uses non-IP access (NetBIOS, IPv6) or no loopback at all ?
Stupid me ! Of course it didn't blocked the traffic from KDE Konqueror - because it used IPv6, which isn't blocked by iptables ! So maybe our SUSE Linux 10.0 systems are at risk then, if the attacker uses IPv6 attack ? SUSE Linux 10.0 supports IPv6, but doesn't seem to firewall them !
On Fri, 2006-01-20 at 12:56 -0200, Alexey Eremenko wrote:
sorry: my 4 was wrong: 4. FireFox could access the page.
actually, only KDE Konqueor *can* access my web server via: " http://localhost", and ignore firewall.
ifconfig eth0 down ifconfig lo down
I want to understand iptables, not shut down interfaces.
Then this should have been stated in the subject as a test to understand iptables not as a request for a "real world" solution.
Are you opening localhost or local file? I'm opening localhost, i.e. the web server.
rcapache2 stop It can be stopped by using rcapache2 stop, but why iptables fails to stop it ?
It is not iptables job to start/stop services only block access to them. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
participants (3)
-
Alexey Eremenko
-
Ken Schneider
-
Kulla