-1

I have a linux server with these following iptable rules:

iptables -p INPUT DROP
iptables -p OUTPUT DROP
iptables -p FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport http -j ACCEPT

I have apache2 listening on port 80. The problem is that while the local machine can access the dev machine by host name, none of the other local machines can access it. If I clear the iptable rules, they can access it.

How do I fix it? I tried adding port 80 to the above ruleset, but it didn't work.

Edit, here are the current iptable rules:

    iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
iptables -A OUTPUT -t filter -p udp --dport https -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport 445 -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport domain -i eth0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT
firebird
  • 179
  • 1
  • 6
  • Please edit your question to include the output of `iptables -L -v -n` – user9517 Mar 12 '12 at 15:21
  • possible duplicate of [iptables rejects everything it should accept](http://serverfault.com/questions/365680/iptables-rejects-everything-it-should-accept) – Jeff Ferland Mar 12 '12 at 15:48
  • You've made the mistake of confusing source and destination ports for in/out bound connections. Your webserver's outbound traffic has a source port of 80. This is best handled with the established / related clause, though. See the question I tagged above which had the same issues. – Jeff Ferland Mar 12 '12 at 15:50

1 Answers1

2

If you are running iptables on the same machine which apache is running one, you need to change the following rule:

iptables -A OUTPUT -t filter -p tcp --dport http -j ACCEPT

to be

iptables -A INPUT -p tcp --dport http -j ACCEPT

You need to allow the incoming traffic to port 80 not the outgoing one.

Also, it is not enough to allow the ESTABLISHED and RELATED for INPUT. You need to do the same for OUTPUT. Add a rule like:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If you are running a DNS service on the same server, you need to allow port 53 protocol UDP similarly to what you have done for HTTP.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
Khaled
  • 35,688
  • 8
  • 69
  • 98
  • Tried that, it doesn't work. It will work if I set the OUTPUT policy to accept all. So it's related to outgoing, not incoming connections. I don't want to set output to accept, do you know which port/rule I need to set specifically? – firebird Mar 12 '12 at 15:31
  • And if this was a firewall/router setup where the web server sat behind it then the correct table would be the FORWARD chain. – hookenz Dec 10 '12 at 23:30