Hi
I'm able to SSH into Bubba externally but cannot access the webserver externally. My port redirect from my router is working fine (I can redirect to other webservers on port 80). I restored my iptables config (because I thought that may be the problem) per Carl's post in another thread. iptables -L is now:
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Where am I going wrong here?
Thanks
Ben
Please note the new address for this forum : forum.excito.org. The old address redirects here but I don't know for how long. Thanks !
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
Suddenly can't access Bubba externally
Hi Carl
bubba:/etc/init.d# iptables-save
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5063:3484914]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*nat
REROUTING ACCEPT [88:7765]
OSTROUTING ACCEPT [255:90328]
:OUTPUT ACCEPT [255:90328]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
bubba:/etc/init.d#
bubba:/etc/init.d# iptables-save
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5063:3484914]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*nat
REROUTING ACCEPT [88:7765]OSTROUTING ACCEPT [255:90328]:OUTPUT ACCEPT [255:90328]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
bubba:/etc/init.d#
The two rules in the nat chain below seems to be wrong; Try to remove them, and probably access to port 80 on the bubba will work again:shocks wrote:Hi Carl
bubba:/etc/init.d# iptables-save
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5063:3484914]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
# Generated by iptables-save v1.3.6 on Wed Mar 25 13:18:55 2009
*nat
:OUTPUT ACCEPT [255:90328]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 25 13:18:55 2009
bubba:/etc/init.d#
Code: Select all
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80