Hello Everyone-
I have a server which is running a httpd server on port 80. I have
iptable firewall rules which are basically of the form :
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT all -- localhost anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Let's say that the server's public IP address is 123.123.123.123
From outside the box, if I do :
wget -O - http://123.123.123.123
I get back html. But, if I do that same exact wget from within the box,
I never get html and the connection times out. Furthermore, I will get
incremented counters on the INPUT chain's DROP policy.
I poked around looking at the /var/lib/iptables/rules-save to discover
that for rule #4 on the INPUT chain, "localhost" == 127.0.0.1 (not
surprising as it's exactly what I used to create the rule).
If I add a final rule :
iptables -A INPUT -s 123.123.123.123 -j ACCEPT
I get a 5th iptables rules which *reads* exactly the same as the 4th,
namely :
ACCEPT all -- localhost anywhere
(iptables -n --list shows the two lines as :
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 123.123.123.123 0.0.0.0/0
)
But now, the wget from within the box to 123.123.123.123 works.
Can anyone explain why I needed to add rule #5 to get the wget to work
from within 123.123.123.123 ? Both 127.0.0.1 and 123.123.123.123 are
displayed as 'localhost' so I'm curious how and why and if I've created
a problem by adding the 5th line.
Thanks in advance!
daniel
--
gentoo-user@gentoo.org mailing list
I have a server which is running a httpd server on port 80. I have
iptable firewall rules which are basically of the form :
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT all -- localhost anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Let's say that the server's public IP address is 123.123.123.123
From outside the box, if I do :
wget -O - http://123.123.123.123
I get back html. But, if I do that same exact wget from within the box,
I never get html and the connection times out. Furthermore, I will get
incremented counters on the INPUT chain's DROP policy.
I poked around looking at the /var/lib/iptables/rules-save to discover
that for rule #4 on the INPUT chain, "localhost" == 127.0.0.1 (not
surprising as it's exactly what I used to create the rule).
If I add a final rule :
iptables -A INPUT -s 123.123.123.123 -j ACCEPT
I get a 5th iptables rules which *reads* exactly the same as the 4th,
namely :
ACCEPT all -- localhost anywhere
(iptables -n --list shows the two lines as :
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 123.123.123.123 0.0.0.0/0
)
But now, the wget from within the box to 123.123.123.123 works.
Can anyone explain why I needed to add rule #5 to get the wget to work
from within 123.123.123.123 ? Both 127.0.0.1 and 123.123.123.123 are
displayed as 'localhost' so I'm curious how and why and if I've created
a problem by adding the 5th line.
Thanks in advance!
daniel
--
gentoo-user@gentoo.org mailing list