[Gllug] Problems with Arno firewall script and iptables
Alistair Mann
gllug at lgeezer.net
Fri Jul 25 15:00:17 UTC 2008
william pink wrote:
> Hello,
>
> I need to allow access to port 443 for the https, We are using the
> Arno firewall script but I manually added the rules in the terminal with
>
> *iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP
> --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
>
> (from the iptables -L
> ACCEPT tcp -- ***.***.co.uk <http://co.uk>
> anywhere tcp spt:https dpts:1024:65535 state ESTABLISHED
> ACCEPT tcp -- ***.***.co.uk <http://co.uk>
> anywhere tcp spt:https dpts:1024:65535 state ESTABLISHED
> *
That -L doesn't match the earlier rules -- both lines seem to refer to
just the output rule. Wot, no input rule from -L?
I should think your problem is not the rules above, but the rules you've
not put above -- possibly a rule is already blocking https, so traffic
gets dumped before it reaches your rule. Notice in particular that -A
adds a rule /after/ all others existing rules. Rewrite "-A INPUT" as "-I
INPUT" and the same for output; this forces your rules to be considered
first. If it suddenly starts working, then rule order was your problem.
> I have also tried
>
> *iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
> *
Only the first packet would be accepted there -- you'd get an
acknowledgement, but any further traffic would be refused for not being
"new".
Cheers,
--
Alistair Mann
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list