Linux – help with iptables cannot connect to web server

firewalliptableslinux

I recently set up a Fedora Core web server for my IT organization and I am a newbie to linux and even more of a newbie with iptables. For now, I need to permit outside users to access the web server on port 80, enable mysql connections on port 3306, and also allow ssh connections. Right now I don't need to really be restrictive on the source of the connections so I just need some general permissive rules to get things going. I tested internally trying to connect from my computer to the new server with the following rules and I cannot connect at all with iptables started. Once I stop iptables, I am able to get to the server, so I know something is wrong with my iptables configuration – I am just too much of a newbie to figure it out. Can someone help? 🙂

:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
-A INPUT -p icmp -j ACCEPT<br>
-A INPUT -i lo -j ACCEPT<br>
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br>
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br>
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br>
-A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT<br>
COMMIT<br>

====================
UPDATE!!!

I changed my iptables rules to…

:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
-A INPUT -p icmp -j ACCEPT<br>
-A INPUT -i lo -j ACCEPT<br>
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br>
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br>
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br>
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br>
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT<br>
COMMIT<br><br>

After restarting iptables, I tested and I am still unable to connect to the server.

I ran iptables -L I get this…

Chain INPUT (policy ACCEPT)<br> 
target     prot opt source               destination<br>
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED<br> 
ACCEPT     icmp --  anywhere             anywhere<br>
ACCEPT     all  --  anywhere             anywhere<br>
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh<br> 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited<br> 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http<br> 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql<br><br>

Chain FORWARD (policy ACCEPT)<br>
target     prot opt source               destination<br>
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited<br><br>

Chain OUTPUT (policy ACCEPT)<br>
target     prot opt source               destination<br><br>

Again, if I stop iptables and then try connecting again then I am able to connect. So it still appears to be a problem with iptables (not networking issue). I'm baffled so any other help would be appreciated!!!

Best Answer

I think the problem is this rule:

-A INPUT -j REJECT --reject-with icmp-host-prohibited

That tells IPTables to reject everything coming in on the INPUT chain, i.e. all incoming packets. And since IPTables reads (and applies) its rules in order from top to bottom, for NEW packets coming in on ports 80 and 3306, that's the first rule that matches. So they all get rejected. The only packets that wouldn't be rejected by that rule are the ones coming into port 22, since the rule right above it says to accept them.

To fix it, just move that rule to the end of the file. That way, IPTables will encounter the rules saying to ACCEPT packets on ports 80 and 3306 first.

On a slightly related note, I've written an IPTables tutorial on my website that might have some useful information for you.

Related Topic