[Cialug] Allowing web traffic through firewall

Tom Sellers tsellers2009 at gmail.com
Mon Apr 24 21:30:06 CDT 2017 

Your assumptions are correct except that I wanted to allow web traffic to
my web server.  All my other traffic seems to work fine.  My web server
stopped working when I put the firewall in place.  I found a couple of
table entries on line that were to have allowed http and https traffic but
they did not help.

On Apr 24, 2017 1:41 PM, "Sean Flattery" <sean.r.flattery at gmail.com> wrote:

That depends entirely upon how the rest of your network is setup.  I'm
going to make a whole truckload of guesses about your network here...

Your firewall is internet facing with eth0 to the public.  Eth1 goes to
your web server, or something that passes traffic to your web server.
*Assuming
that's correct,* then requests from the public (eth0) would get dropped
instead of being forwarded to your web server off eth1.  You also may want
to restrict outbound connections from eth1 to the internet for security
reasons.

Sean Flattery


-------------------------------------------------------------
Date: Mon, 24 Apr 2017 08:43:27 -0500
From: Tom Sellers <tsellers2009 at gmail.com>
To: Central Iowa Linux Users Group <cialug at cialug.org>
Subject: [Cialug] Allowing web traffic through firewall
Message-ID:
        <CAGMb6GTrAuAuD+j44vBpNSNYytVYf_fWD9vHa-Gdiv51UHyAOA at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Does the first entry in this firewall iptables block traffic to my web
server?  It appears to me that the "NEW" portion would do so.

Chain FORWARD (policy DROP 138 packets, 5575 bytes)
 pkts bytes target     prot opt in     out     source destination
    0     0 DROP       all  --  eth0   any     anywhere anywhere    ctstate
INVALID,NEW
    0     0 DROP       tcp  --  any    any     anywhere
anywhere             multiport dports
epmap,netbios-ns:netbios-ssn,microsoft-ds
    9   702 DROP       udp  --  any    any     anywhere
anywhere             multiport dports
epmap,netbios-ns:netbios-ssn,microsoft-ds
  51M   59G ACCEPT     all  --  any    any     anywhere
anywhere             ctstate RELATED,ESTABLISHED
 102K 8792K ACCEPT     all  --  eth1   any     anywhere
anywhere             ctstate NEW
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list