Re: how to config 80 port for apache in iptables

Nathan Huang <nathan.vorbei.tech@xxxxxxxxx> · Mon, 13 Apr 2009 02:09:33 +0800



On Sun, 2009-04-12 at 18:56 +0100, Sharpe, Sam J wrote:
> 2009/4/12 Nathan Huang <nathan.vorbei.tech@xxxxxxxxx>:
> > Hi guys
> > who can help me with opening 80 port for apache in iptables, I want to
> > access my apache server from remote computer,  but I failed in config
> > iptables with 80 port.
> >
> > First step:
> > echo '-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
> > 80 -j ACCEPT' >> /etc/sysconfig/iptables
> 
> That's your mistake.
> 
> A default /etc/sysconfig/iptables file looks like this:
> 
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> 
> Yours probably now looks like this:
> 
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> 
> So, my answer would be to take out the last line that you've just added and put:
> 
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> 
> !!ABOVE!! the two lines containing the word REJECT. i.e:
> 
> <snip>
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> <snip>
> 
> 
> Then restart IPTables...
> 
> 

you are absolutely right!!! I remove 'RH-Firewall-1-' in front ot
'INPUT...' and move the line '-A INPUT -m state --state NEW -m tcp -p
tcp --dport 80 -j ACCEPT' below '-A INPUT -J...' and above '-A FORWARD
-j...'  

it does work when i restart iptables
now I can access port 80 from my second computer, Thank you very much
nathan

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines