Mailing List Archive

On Wed, Sep 22, 2004 at 10:23:45PM -0700, Daniel Wood wrote:
> Hello Everyone-
>
> I have a server which is running a httpd server on port 80. I have
> iptable firewall rules which are basically of the form :
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp dpt:www
> ACCEPT all -- localhost anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
>
> Let's say that the server's public IP address is 123.123.123.123
>
> From outside the box, if I do :
>
> wget -O - http://123.123.123.123
>
> I get back html. But, if I do that same exact wget from within the box,
> I never get html and the connection times out. Furthermore, I will get
> incremented counters on the INPUT chain's DROP policy.
>
> I poked around looking at the /var/lib/iptables/rules-save to discover
> that for rule #4 on the INPUT chain, "localhost" == 127.0.0.1 (not
> surprising as it's exactly what I used to create the rule).
>
> If I add a final rule :
>
> iptables -A INPUT -s 123.123.123.123 -j ACCEPT
>
> I get a 5th iptables rules which *reads* exactly the same as the 4th,
> namely :
>
> ACCEPT all -- localhost anywhere
>
> (iptables -n --list shows the two lines as :
>
> ACCEPT all -- 127.0.0.1 0.0.0.0/0
> ACCEPT all -- 123.123.123.123 0.0.0.0/0
>
> )
>
> But now, the wget from within the box to 123.123.123.123 works.
>
> Can anyone explain why I needed to add rule #5 to get the wget to work
> from within 123.123.123.123 ? Both 127.0.0.1 and 123.123.123.123 are
> displayed as 'localhost' so I'm curious how and why and if I've created
> a problem by adding the 5th line.

when contacting your box from within your network, but on the public
address, your box will not use the localhost interface, but the public
interface.

remove the additional line again and try
wget -O - http://127.0.0.1

it should work.

But since your 3rd rule should already match in both cases I guess
something's wrong in that place.

Try tcpdump to pinpoint the problem.


HTH

Thomas

--
gentoo-user@gentoo.org mailing list

Thomas Buntrock wrote:

>On Wed, Sep 22, 2004 at 10:23:45PM -0700, Daniel Wood wrote:
>
>
>>Hello Everyone-
>>
>>I have a server which is running a httpd server on port 80. I have
>>iptable firewall rules which are basically of the form :
>>
>>Chain INPUT (policy DROP)
>>target prot opt source destination
>>DROP all -- anywhere anywhere state INVALID
>>ACCEPT all -- anywhere anywhere state
>>RELATED,ESTABLISHED
>>ACCEPT tcp -- anywhere anywhere tcp dpt:www
>>ACCEPT all -- localhost anywhere
>>
>>Chain FORWARD (policy ACCEPT)
>>target prot opt source destination
>>
>>Chain OUTPUT (policy ACCEPT)
>>target prot opt source destination
>>DROP all -- anywhere anywhere state INVALID
>>
>>Let's say that the server's public IP address is 123.123.123.123
>>
>>From outside the box, if I do :
>>
>>wget -O - http://123.123.123.123
>>
>>I get back html. But, if I do that same exact wget from within the box,
>>I never get html and the connection times out. Furthermore, I will get
>>incremented counters on the INPUT chain's DROP policy.
>>
>>I poked around looking at the /var/lib/iptables/rules-save to discover
>>that for rule #4 on the INPUT chain, "localhost" == 127.0.0.1 (not
>>surprising as it's exactly what I used to create the rule).
>>
>>If I add a final rule :
>>
>>iptables -A INPUT -s 123.123.123.123 -j ACCEPT
>>
>>I get a 5th iptables rules which *reads* exactly the same as the 4th,
>>namely :
>>
>>ACCEPT all -- localhost anywhere
>>
>>(iptables -n --list shows the two lines as :
>>
>>ACCEPT all -- 127.0.0.1 0.0.0.0/0
>>ACCEPT all -- 123.123.123.123 0.0.0.0/0
>>
>>)
>>
>>But now, the wget from within the box to 123.123.123.123 works.
>>
>>Can anyone explain why I needed to add rule #5 to get the wget to work
>>from within 123.123.123.123 ? Both 127.0.0.1 and 123.123.123.123 are
>>displayed as 'localhost' so I'm curious how and why and if I've created
>>a problem by adding the 5th line.
>>
>>
>
>when contacting your box from within your network, but on the public
>address, your box will not use the localhost interface, but the public
>interface.
>
>remove the additional line again and try
>wget -O - http://127.0.0.1
>
>it should work.
>
>But since your 3rd rule should already match in both cases I guess
>something's wrong in that place.
>
>Try tcpdump to pinpoint the problem.
>
>
>HTH
>
>Thomas
>
>--
>gentoo-user@gentoo.org mailing list
>
>
>
Thanks Thomas!

The rub with that Thomas, is that the httpd service is configured to
only accept http requests from the public ip. So, you get this :

wget -O - http://127.0.0.1
--07:38:17-- http://127.0.0.1/
=> `-'
Connecting to 127.0.0.1:80... failed: Connection refused.

The "reason" is that this httpd service is doing a sanity check at
startup to connect back to itself on the listening address
(123.123.123.123) and port. That has resulted in several minutes for
the service to startup; hence my problem.

Your point, "3rd rule should already match in both cases" seems to be
the crux of my misunderstanding. I too would have thought that #3 would
cover 127.0.0.1, 123.123.123.123, and any other address coming in on
port 80 (www).

One additional piece of information which I neglected to
mention--because I didn't think to write it--is that this server has
three NIC's. One is on the public interface, and the other two are
doing local networking traffic.

-daniel

--
gentoo-user@gentoo.org mailing list

On Wed, 22 Sep 2004, Daniel Wood wrote:

> I have a server which is running a httpd server on port 80. I have
> iptable firewall rules which are basically of the form :
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp dpt:www
> ACCEPT all -- localhost anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID

Please bear in mind, that unlike BSD firewalls (where packets traverse the
entire ruleset and the LAST match wins), Linux firewalls operate on a
FIRST match basis.

Here is an example of a more thorough firewall on one of my servers (this
allows a few more ports and also has user-defined chains for "scrubbing"
bad packets or ones from private IPs (which you should never see). Note: I
have XXX'ed out one IP address to protect the innocent ;-)

Chain INPUT (policy DROP)
target prot opt source destination
scrub all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- XXX.XXX.XXX.XX 0.0.0.0/0 udp dpt:161
block all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
block all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain block (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain scrub (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/8 0.0.0.0/0
DROP all -- 169.254.0.0/16 0.0.0.0/0
DROP all -- 192.0.2.0/24 0.0.0.0/0
DROP all -- 204.152.64.0/23 0.0.0.0/0
DROP all -- 224.0.0.0/3 0.0.0.0/0


--
Aj.
Sys. Admin / Developer

--
gentoo-user@gentoo.org mailing list