[Gllug] ipchains, nat and hosts.allow
Murray
murray at minty.org
Thu Dec 5 10:48:08 UTC 2002
I'm trying to safely open up my little home server/adsl line (port's 80 and 22) so I can access it remotely. I'm getting stuck and wondering if anyone could offer some advice.
Suse 7.1 (Linux 2.2 I believe)
Asus ADSL modem, running NAT.
I had it setup so that the modem (via NAT) blocked everything coming in, and was then also using the default firewall from SuSE (ipchains). With this setup, trying to telnet to my server on port 80 just got a "connection refused".
I configured the modem to allow port 80 through to port 80 on my server (192.168.X.X). Telneting from a remote location now didn't get a refused connection, but neither did it connect. It just hung.
So next I figured I'd need to open up the ipchains on the box. I tried:
ipchains -A input -j ACCEPT -i ppp0 -p tcp -s 0.0.0.0/0 -d 192.168.X.X http
ipchains -A output -j ACCEPT -i ppp0 -p tcp -s 192.168.X.X http -d 0.0.0.0/0
(eventually the idea is to restrict access to known (source) ip's. I know they can be spoofed, but it's better than nout. For now, I'm keeping it open until I get it working....)
that didn't make the slightest difference. Telneting on port 80 still just hung....
So then I edit'd hosts.allow and I think I got that setup to allow http traffic from the remote host I was testing from. Still no luck.
Can anyone see anything obvious I'm missing?
I think I need to sit down and ready through the ipchains documentation properly again, but everytime I've tried I get throughly confused! I'm wondering if I need to enable syn packets or something, or if the order of the ipchains rules matters?
(I removed the ipchains rules & locked down the NAT box again after playing. I know running a webserver on the same machine as the firewall is less than idea, but I only have the one desktop machine, and I don't want to use my laptop to run the webserver...)
_______________________________________________________
www.minty.org
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list