[TriLUG] Firewall for my webserver (IPTABLES)

Jerry M. Howell II jmhowell at jmhowell.com
Sun Jun 8 01:38:41 EDT 2003


Hello everyone,

   I'm curently running adminning my wifes webserver at
   gamma.hostbyk.com. We are running redhat 7.3 with a generic 2.4.20
   kernel custom compiled with all the iptables/NAT goodies. I go to
   enable the firewall and thats where I runn into problems. I can view
   the webserver, about 75% of my clients can but there are some that go
   through compuserve, earthlink and aol that can't seem to access
   anything once I start the firewall. No email, ftp, can't ping it or
   pull up a webpage. Thought it was probably ICMP so I allowed that
   through but still nothing. Might someone have any sugestions? here is
   the output from /usr/local/iptables-save wich is iptables-1.2.8 BTW.

# Generated by iptables-save v1.2.8 on Fri Jun  6 13:07:33 2003
*nat
:PREROUTING ACCEPT [1956549:98046633]
:POSTROUTING ACCEPT [205477:14316170]
:OUTPUT ACCEPT [205477:14316170]
COMMIT
# Completed on Fri Jun  6 13:07:33 2003
# Generated by iptables-save v1.2.8 on Fri Jun  6 13:07:33 2003
*mangle
:PREROUTING ACCEPT [11003984:1977948454]
:INPUT ACCEPT [10098177:1941715975]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10603720:6903438327]
:POSTROUTING ACCEPT [10603700:6903433659]
COMMIT
# Completed on Fri Jun  6 13:07:33 2003
# Generated by iptables-save v1.2.8 on Fri Jun  6 13:07:33 2003
*filter
:INPUT ACCEPT [8569034:1718459859]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10603700:6903436455]
:acctboth - [0:0]
:firewall - [0:0]
[5:582] -A INPUT -p udp -m udp --sport 53 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --sport 113 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT 
[4:552] -A INPUT -p icmp -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
[85:7204] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
[158:22654] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
[40:1898] -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT 
[0:0] -A INPUT -p udp -m udp --dport 1080 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 2082 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 2095 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT 
[0:0] -A INPUT -p udp -m udp --dport 8000 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT 
[0:0] -A INPUT -p udp -m udp --dport 8080 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT 
[0:0] -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT 
[0:0] -A INPUT -s 217.133.0.0/255.255.0.0 -j DROP 
[0:0] -A INPUT -s 80.13.0.0/255.255.0.0 -j DROP 
[0:0] -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 216.15.179.128/255.255.255.224 -j DROP 
[0:0] -A INPUT -s 43.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 61.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 133.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 163.13.0.0/255.255.0.0 -j DROP 
[0:0] -A INPUT -s 163.14.0.0/255.254.0.0 -j DROP 
[0:0] -A INPUT -s 163.16.0.0/255.240.0.0 -j DROP 
[0:0] -A INPUT -s 163.32.0.0/255.255.0.0 -j DROP 
[0:0] -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP 
[0:0] -A INPUT -p icmp -j firewall 
[0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j firewall 
[21:1408] -A INPUT -p udp -j firewall 
[0:0] -A OUTPUT -p icmp -m state --state INVALID -j DROP 
[21:1408] -A firewall -j LOG --log-prefix "Firewall:" --log-level info 
[21:1408] -A firewall -j DROP 
COMMIT
# Completed on Fri Jun  6 13:07:33 2003

My firewall script can be found at http://www.jmhowell.com/fire.html if
you wanna look that over as well. Thnx for any advice that can be given.
Any time warner admins feal free to spill the beens as well if you know
of anything :)

-- 
Jerry M. Howell II



More information about the TriLUG mailing list